1
0
forked from k-space/kube

Elaborate how to configure additional domains for Bind

This commit is contained in:
Lauri Võsandi 2023-08-20 09:35:26 +03:00
parent 9dae1a832b
commit cc51f3731a
3 changed files with 102 additions and 4 deletions

View File

@ -5,6 +5,7 @@
ansible.builtin.apt: ansible.builtin.apt:
name: bind9 name: bind9
state: present state: present
- name: Configure Bind - name: Configure Bind
register: bind register: bind
copy: copy:
@ -14,11 +15,24 @@
# https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml # https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
# Do NOT modify manually # Do NOT modify manually
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.local";
include "/etc/bind/readwrite.key"; include "/etc/bind/readwrite.key";
include "/etc/bind/readonly.key"; include "/etc/bind/readonly.key";
options {
directory "/var/cache/bind";
version "";
listen-on { any; };
listen-on-v6 { any; };
pid-file "/var/run/named/named.pid";
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
allow-recursion { none; };
recursion no;
check-names master ignore;
dnssec-validation no;
auth-nxdomain no;
};
# https://kb.isc.org/docs/aa-00723 # https://kb.isc.org/docs/aa-00723
acl allowed { acl allowed {
@ -38,7 +52,6 @@
file "/var/lib/bind/db.k-space.ee"; file "/var/lib/bind/db.k-space.ee";
allow-update { !rejected; key readwrite; }; allow-update { !rejected; key readwrite; };
allow-transfer { !rejected; key readonly; key readwrite; }; allow-transfer { !rejected; key readonly; key readwrite; };
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
}; };
zone "k6.ee" { zone "k6.ee" {
@ -46,7 +59,6 @@
file "/var/lib/bind/db.k6.ee"; file "/var/lib/bind/db.k6.ee";
allow-update { !rejected; key readwrite; }; allow-update { !rejected; key readwrite; };
allow-transfer { !rejected; key readonly; key readwrite; }; allow-transfer { !rejected; key readonly; key readwrite; };
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
}; };
zone "kspace.ee" { zone "kspace.ee" {
@ -54,7 +66,6 @@
file "/var/lib/bind/db.kspace.ee"; file "/var/lib/bind/db.kspace.ee";
allow-update { !rejected; key readwrite; }; allow-update { !rejected; key readwrite; };
allow-transfer { !rejected; key readonly; key readwrite; }; allow-transfer { !rejected; key readonly; key readwrite; };
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
}; };
- name: Check Bind config - name: Check Bind config
ansible.builtin.shell: "named-checkconf" ansible.builtin.shell: "named-checkconf"

View File

@ -29,3 +29,75 @@ kubectl -n cert-manager create secret generic tsig-secret \
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
``` ```
# Serving additional zones
## Bind primary configuration
To serve additional domains from this Bind setup add following
section to `named.conf.local` on primary `ns1.k-space.ee`:
```
key "foobar" {
algorithm hmac-sha512;
secret "...";
};
zone "foobar.com" {
type master;
file "/var/lib/bind/db.foobar.com";
allow-update { !rejected; key foobar; };
allow-transfer { !rejected; key readonly; key foobar; };
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
};
```
Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`:
```
foobar.com IN SOA ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
NS ns1.foobar.com.
NS ns2.foobar.com.
ns1.foobar.com. A 193.40.103.2
ns2.foobar.com. A 62.65.250.2
```
Reload Bind config:
```
named-checkconf
systemctl reload bind9
```
## Bind secondary config
Add section to `bind-secondary-config-local` under key `named.conf.local`:
```
zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };
```
And restart secondaries:
```
kubectl rollout restart -n bind statefulset/bind-secondary
```
## Registrar config
At your DNS registrar point your glue records to:
```
foobar.com. NS ns1.foobar.com.
foobar.com. NS ns2.foobar.com.
ns1.foobar.com. A 193.40.103.2
ns2.foobar.com. A 62.65.250.2
```
## Updating DNS records
With the configured TSIG key `foobar` you can now:
* Obtain Let's Encrypt certificates with DNS challenge.
Inside Kubernetes use `cert-manager` with RFC2136 provider.
* Update DNS records.
Inside Kubernetes use `external-dns` with RFC2136 provider.

View File

@ -1,10 +1,21 @@
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata:
name: bind-secondary-config-local
data:
named.conf.local: |
zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
zone "codemowers.eu" { type slave; masters { 172.20.0.2 key readonly; }; };
zone "codemowers.cloud" { type slave; masters { 172.20.0.2 key readonly; }; };
---
apiVersion: v1
kind: ConfigMap
metadata: metadata:
name: bind-secondary-config name: bind-secondary-config
data: data:
named.conf: | named.conf: |
include "/etc/bind/named.conf.local";
include "/etc/bind/readonly.key"; include "/etc/bind/readonly.key";
options { options {
recursion no; recursion no;
@ -13,6 +24,7 @@ data:
allow-notify { 172.20.0.2; }; allow-notify { 172.20.0.2; };
allow-transfer { none; }; allow-transfer { none; };
check-names slave ignore; check-names slave ignore;
notify no;
}; };
zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
@ -60,6 +72,9 @@ spec:
sources: sources:
- configMap: - configMap:
name: bind-secondary-config name: bind-secondary-config
- configMap:
name: bind-secondary-config-local
optional: true
- secret: - secret:
name: bind-readonly-secret name: bind-readonly-secret
- name: bind-data - name: bind-data