forked from k-space/kube
Elaborate how to configure additional domains for Bind
This commit is contained in:
parent
9dae1a832b
commit
cc51f3731a
@ -5,6 +5,7 @@
|
|||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: bind9
|
name: bind9
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Configure Bind
|
- name: Configure Bind
|
||||||
register: bind
|
register: bind
|
||||||
copy:
|
copy:
|
||||||
@ -14,11 +15,24 @@
|
|||||||
# https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
|
# https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
|
||||||
# Do NOT modify manually
|
# Do NOT modify manually
|
||||||
|
|
||||||
include "/etc/bind/named.conf.options";
|
|
||||||
include "/etc/bind/named.conf.local";
|
include "/etc/bind/named.conf.local";
|
||||||
include "/etc/bind/readwrite.key";
|
include "/etc/bind/readwrite.key";
|
||||||
include "/etc/bind/readonly.key";
|
include "/etc/bind/readonly.key";
|
||||||
|
|
||||||
|
options {
|
||||||
|
directory "/var/cache/bind";
|
||||||
|
version "";
|
||||||
|
listen-on { any; };
|
||||||
|
listen-on-v6 { any; };
|
||||||
|
pid-file "/var/run/named/named.pid";
|
||||||
|
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
||||||
|
allow-recursion { none; };
|
||||||
|
recursion no;
|
||||||
|
check-names master ignore;
|
||||||
|
dnssec-validation no;
|
||||||
|
auth-nxdomain no;
|
||||||
|
};
|
||||||
|
|
||||||
# https://kb.isc.org/docs/aa-00723
|
# https://kb.isc.org/docs/aa-00723
|
||||||
|
|
||||||
acl allowed {
|
acl allowed {
|
||||||
@ -38,7 +52,6 @@
|
|||||||
file "/var/lib/bind/db.k-space.ee";
|
file "/var/lib/bind/db.k-space.ee";
|
||||||
allow-update { !rejected; key readwrite; };
|
allow-update { !rejected; key readwrite; };
|
||||||
allow-transfer { !rejected; key readonly; key readwrite; };
|
allow-transfer { !rejected; key readonly; key readwrite; };
|
||||||
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
|
||||||
};
|
};
|
||||||
|
|
||||||
zone "k6.ee" {
|
zone "k6.ee" {
|
||||||
@ -46,7 +59,6 @@
|
|||||||
file "/var/lib/bind/db.k6.ee";
|
file "/var/lib/bind/db.k6.ee";
|
||||||
allow-update { !rejected; key readwrite; };
|
allow-update { !rejected; key readwrite; };
|
||||||
allow-transfer { !rejected; key readonly; key readwrite; };
|
allow-transfer { !rejected; key readonly; key readwrite; };
|
||||||
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
|
||||||
};
|
};
|
||||||
|
|
||||||
zone "kspace.ee" {
|
zone "kspace.ee" {
|
||||||
@ -54,7 +66,6 @@
|
|||||||
file "/var/lib/bind/db.kspace.ee";
|
file "/var/lib/bind/db.kspace.ee";
|
||||||
allow-update { !rejected; key readwrite; };
|
allow-update { !rejected; key readwrite; };
|
||||||
allow-transfer { !rejected; key readonly; key readwrite; };
|
allow-transfer { !rejected; key readonly; key readwrite; };
|
||||||
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
|
||||||
};
|
};
|
||||||
- name: Check Bind config
|
- name: Check Bind config
|
||||||
ansible.builtin.shell: "named-checkconf"
|
ansible.builtin.shell: "named-checkconf"
|
||||||
|
@ -29,3 +29,75 @@ kubectl -n cert-manager create secret generic tsig-secret \
|
|||||||
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# Serving additional zones
|
||||||
|
|
||||||
|
## Bind primary configuration
|
||||||
|
|
||||||
|
To serve additional domains from this Bind setup add following
|
||||||
|
section to `named.conf.local` on primary `ns1.k-space.ee`:
|
||||||
|
|
||||||
|
```
|
||||||
|
key "foobar" {
|
||||||
|
algorithm hmac-sha512;
|
||||||
|
secret "...";
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "foobar.com" {
|
||||||
|
type master;
|
||||||
|
file "/var/lib/bind/db.foobar.com";
|
||||||
|
allow-update { !rejected; key foobar; };
|
||||||
|
allow-transfer { !rejected; key readonly; key foobar; };
|
||||||
|
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`:
|
||||||
|
|
||||||
|
```
|
||||||
|
foobar.com IN SOA ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
|
||||||
|
NS ns1.foobar.com.
|
||||||
|
NS ns2.foobar.com.
|
||||||
|
ns1.foobar.com. A 193.40.103.2
|
||||||
|
ns2.foobar.com. A 62.65.250.2
|
||||||
|
```
|
||||||
|
|
||||||
|
Reload Bind config:
|
||||||
|
|
||||||
|
```
|
||||||
|
named-checkconf
|
||||||
|
systemctl reload bind9
|
||||||
|
```
|
||||||
|
|
||||||
|
## Bind secondary config
|
||||||
|
|
||||||
|
Add section to `bind-secondary-config-local` under key `named.conf.local`:
|
||||||
|
|
||||||
|
```
|
||||||
|
zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
|
```
|
||||||
|
|
||||||
|
And restart secondaries:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl rollout restart -n bind statefulset/bind-secondary
|
||||||
|
```
|
||||||
|
|
||||||
|
## Registrar config
|
||||||
|
|
||||||
|
At your DNS registrar point your glue records to:
|
||||||
|
|
||||||
|
```
|
||||||
|
foobar.com. NS ns1.foobar.com.
|
||||||
|
foobar.com. NS ns2.foobar.com.
|
||||||
|
ns1.foobar.com. A 193.40.103.2
|
||||||
|
ns2.foobar.com. A 62.65.250.2
|
||||||
|
```
|
||||||
|
|
||||||
|
## Updating DNS records
|
||||||
|
|
||||||
|
With the configured TSIG key `foobar` you can now:
|
||||||
|
|
||||||
|
* Obtain Let's Encrypt certificates with DNS challenge.
|
||||||
|
Inside Kubernetes use `cert-manager` with RFC2136 provider.
|
||||||
|
* Update DNS records.
|
||||||
|
Inside Kubernetes use `external-dns` with RFC2136 provider.
|
||||||
|
@ -1,10 +1,21 @@
|
|||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: bind-secondary-config-local
|
||||||
|
data:
|
||||||
|
named.conf.local: |
|
||||||
|
zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
|
zone "codemowers.eu" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
|
zone "codemowers.cloud" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: bind-secondary-config
|
name: bind-secondary-config
|
||||||
data:
|
data:
|
||||||
named.conf: |
|
named.conf: |
|
||||||
|
include "/etc/bind/named.conf.local";
|
||||||
include "/etc/bind/readonly.key";
|
include "/etc/bind/readonly.key";
|
||||||
options {
|
options {
|
||||||
recursion no;
|
recursion no;
|
||||||
@ -13,6 +24,7 @@ data:
|
|||||||
allow-notify { 172.20.0.2; };
|
allow-notify { 172.20.0.2; };
|
||||||
allow-transfer { none; };
|
allow-transfer { none; };
|
||||||
check-names slave ignore;
|
check-names slave ignore;
|
||||||
|
notify no;
|
||||||
};
|
};
|
||||||
zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
@ -60,6 +72,9 @@ spec:
|
|||||||
sources:
|
sources:
|
||||||
- configMap:
|
- configMap:
|
||||||
name: bind-secondary-config
|
name: bind-secondary-config
|
||||||
|
- configMap:
|
||||||
|
name: bind-secondary-config-local
|
||||||
|
optional: true
|
||||||
- secret:
|
- secret:
|
||||||
name: bind-readonly-secret
|
name: bind-readonly-secret
|
||||||
- name: bind-data
|
- name: bind-data
|
||||||
|
Loading…
Reference in New Issue
Block a user