2021-07-30 18:21:05 |
Boris Lukashev |
description |
Per https://kb.isc.org/docs/aa-00269, bind now requires an ACL of permitted requestors to recurse queries. In order for designate to work as a central resolver, it needs to be able to resolve queries via forwarders/root for zones it does not carry internally.
I attempted to implement this via the kolla-ansible standard config change process:
```
diff --git c/etc/kolla/config/designate-backend-bind9/named.conf w/etc/kolla/config/designate-backend-bind9/named.conf
new file mode 100644
index 000000000..a00593a70
--- /dev/null
+++ w/etc/kolla/config/designate-backend-bind9/named.conf
@@ -0,0 +1,9 @@
+acl "private" {
+ 10.0.0.0/8;
+ 192.168.0.0/16;
+ 172.16.0.0/21;
+};
+
+options {
+ allow-recursion { private; };
+};
```
but this isn't being interpolated to the configuration file - just ignored by `... reconfigure --tags designate-backend-bind9`
For now, i have manually added the ACL set and the allow-recursion option below `recursion yes;` and it works as expected on all 3 control nodes/bind containers. Pretty sure this requires some jinja templating and config option changes in the YAML consumed by the Ansible code. |
Per https://kb.isc.org/docs/aa-00269, bind now requires an ACL of permitted requestors to recurse queries. In order for designate to work as a central resolver, it needs to be able to resolve queries via forwarders/root for zones it does not carry internally.
I attempted to implement this via the kolla-ansible standard config change process:
```
diff --git c/etc/kolla/config/designate-backend-bind9/named.conf w/etc/kolla/config/designate-backend-bind9/named.conf
new file mode 100644
index 000000000..a00593a70
--- /dev/null
+++ w/etc/kolla/config/designate-backend-bind9/named.conf
@@ -0,0 +1,9 @@
+acl "private" {
+ 10.0.0.0/8;
+ 192.168.0.0/16;
+ 172.16.0.0/21;
+};
+
+options {
+ allow-recursion { private; };
+};
```
but this isn't being interpolated to the configuration file - just ignored by `... reconfigure --tags designate-backend-bind9`
For now, i have manually added the ACL set and the allow-recursion option below `recursion yes;` and it works as expected on all 3 control nodes/bind containers. Pretty sure this requires some jinja templating and config option changes in the YAML consumed by the Ansible code.
This is all wallaby |
|
2021-07-30 18:22:43 |
Boris Lukashev |
description |
Per https://kb.isc.org/docs/aa-00269, bind now requires an ACL of permitted requestors to recurse queries. In order for designate to work as a central resolver, it needs to be able to resolve queries via forwarders/root for zones it does not carry internally.
I attempted to implement this via the kolla-ansible standard config change process:
```
diff --git c/etc/kolla/config/designate-backend-bind9/named.conf w/etc/kolla/config/designate-backend-bind9/named.conf
new file mode 100644
index 000000000..a00593a70
--- /dev/null
+++ w/etc/kolla/config/designate-backend-bind9/named.conf
@@ -0,0 +1,9 @@
+acl "private" {
+ 10.0.0.0/8;
+ 192.168.0.0/16;
+ 172.16.0.0/21;
+};
+
+options {
+ allow-recursion { private; };
+};
```
but this isn't being interpolated to the configuration file - just ignored by `... reconfigure --tags designate-backend-bind9`
For now, i have manually added the ACL set and the allow-recursion option below `recursion yes;` and it works as expected on all 3 control nodes/bind containers. Pretty sure this requires some jinja templating and config option changes in the YAML consumed by the Ansible code.
This is all wallaby |
Per https://kb.isc.org/docs/aa-00269, bind now requires an ACL of permitted requestors to recurse queries. In order for designate to work as a central resolver, it needs to be able to resolve queries via forwarders/root for zones it does not carry internally.
I attempted to implement this via the kolla-ansible standard config change process:
```
diff --git c/etc/kolla/config/designate-backend-bind9/named.conf w/etc/kolla/config/designate-backend-bind9/named.conf
new file mode 100644
index 000000000..a00593a70
--- /dev/null
+++ w/etc/kolla/config/designate-backend-bind9/named.conf
@@ -0,0 +1,9 @@
+acl "private" {
+ 10.0.0.0/8;
+ 192.168.0.0/16;
+ 172.16.0.0/21;
+};
+
+options {
+ allow-recursion { private; };
+};
```
but this isn't being interpolated to the configuration file - just ignored by `... reconfigure --tags designate-backend-bind9`
For now, i have manually added the ACL set and the allow-recursion option below `recursion yes;` and it works as expected on all 3 control nodes/bind containers.
Before the change it replied with `** server can't find google.com: REFUSED` to a lookup for google.com, now it says
```
Non-authoritative answer:
Name: google.com
Address: 142.250.80.46
Name: google.com
Address: 2607:f8b0:4006:80b::200e
```
Pretty sure this requires some jinja templating and config option changes in the YAML consumed by the Ansible code.
This is all wallaby |
|