From 0746dc187bb43d55f0f7bee1ec168aa0be5eb6be Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Wed, 28 Oct 2020 13:29:15 +1100 Subject: [PATCH] nameserver: Allow master server to notify via ipv6 Logs show that the nameservers are being notified via ipv6 and rejecting the request: nsd[18851]: notify for acme.opendev.org. \ from 2001:4800:7819:104:be76:4eff:fe04:43d0 refused, no acl matches. Modify the nsd ACL to allow the ipv6 of the master to trigger updates. This is important for the letsencrypt process, where we need the acme.opendev.org domain updated in a timely fashion so that TXT authentication works. Change-Id: I785f9636dd05e15b8ffd211845f439be7e8344a3 --- inventory/service/group_vars/dns.yaml | 3 ++- playbooks/roles/nameserver/README.rst | 8 ++++++-- playbooks/roles/nameserver/templates/nsd.conf.j2 | 5 +++-- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/inventory/service/group_vars/dns.yaml b/inventory/service/group_vars/dns.yaml index e331b5d7eb..8342e109a0 100644 --- a/inventory/service/group_vars/dns.yaml +++ b/inventory/service/group_vars/dns.yaml @@ -16,4 +16,5 @@ dns_zones: dns_notify: - 104.239.140.165 - 162.253.55.16 -dns_master: 104.239.146.24 +dns_master_ipv4: 104.239.146.24 +dns_master_ipv6: 2001:4800:7819:104:be76:4eff:fe04:43d0 diff --git a/playbooks/roles/nameserver/README.rst b/playbooks/roles/nameserver/README.rst index 353bfe6772..f26a76cf77 100644 --- a/playbooks/roles/nameserver/README.rst +++ b/playbooks/roles/nameserver/README.rst @@ -37,6 +37,10 @@ nameserver. located at ``zones/example_com/zone.db``, then the value here should be ``example.com/zones/example_com``. -.. zuul:rolevar:: dns_master +.. zuul:rolevar:: dns_master_ipv4 - The IP addresses of the master nameserver. + Required argument. The IPv4 addresses of the master nameserver. + +.. zuul:rolevar:: dns_master_ipv6 + + Required argument. The IPv6 addresses of the master nameserver. diff --git a/playbooks/roles/nameserver/templates/nsd.conf.j2 b/playbooks/roles/nameserver/templates/nsd.conf.j2 index 29ddc54b49..5a56d0ef60 100644 --- a/playbooks/roles/nameserver/templates/nsd.conf.j2 +++ b/playbooks/roles/nameserver/templates/nsd.conf.j2 @@ -35,6 +35,7 @@ key: {% for zone in dns_zones %} zone: name: {{ zone.name }} - allow-notify: {{ dns_master }} NOKEY - request-xfr: AXFR {{ dns_master }} tsig + allow-notify: {{ dns_master_ipv4 }} NOKEY + allow-notify: {{ dns_master_ipv6 }} NOKEY + request-xfr: AXFR {{ dns_master_ipv4 }} tsig {% endfor %}