nameserver: Allow master server to notify via ipv6

Logs show that the nameservers are being notified via ipv6 and
rejecting the request:

  nsd[18851]: notify for acme.opendev.org. \
   from 2001:4800:7819:104:be76:4eff:fe04:43d0 refused, no acl matches.

Modify the nsd ACL to allow the ipv6 of the master to trigger updates.
This is important for the letsencrypt process, where we need the
acme.opendev.org domain updated in a timely fashion so that TXT
authentication works.

Change-Id: I785f9636dd05e15b8ffd211845f439be7e8344a3
This commit is contained in:
Ian Wienand 2020-10-28 13:29:15 +11:00 committed by Jens Harbott (frickler)
parent 7ac82bf5be
commit 0746dc187b
3 changed files with 11 additions and 5 deletions

View File

@ -16,4 +16,5 @@ dns_zones:
dns_notify: dns_notify:
- 104.239.140.165 - 104.239.140.165
- 162.253.55.16 - 162.253.55.16
dns_master: 104.239.146.24 dns_master_ipv4: 104.239.146.24
dns_master_ipv6: 2001:4800:7819:104:be76:4eff:fe04:43d0

View File

@ -37,6 +37,10 @@ nameserver.
located at ``zones/example_com/zone.db``, then the value here located at ``zones/example_com/zone.db``, then the value here
should be ``example.com/zones/example_com``. should be ``example.com/zones/example_com``.
.. zuul:rolevar:: dns_master .. zuul:rolevar:: dns_master_ipv4
The IP addresses of the master nameserver. Required argument. The IPv4 addresses of the master nameserver.
.. zuul:rolevar:: dns_master_ipv6
Required argument. The IPv6 addresses of the master nameserver.

View File

@ -35,6 +35,7 @@ key:
{% for zone in dns_zones %} {% for zone in dns_zones %}
zone: zone:
name: {{ zone.name }} name: {{ zone.name }}
allow-notify: {{ dns_master }} NOKEY allow-notify: {{ dns_master_ipv4 }} NOKEY
request-xfr: AXFR {{ dns_master }} tsig allow-notify: {{ dns_master_ipv6 }} NOKEY
request-xfr: AXFR {{ dns_master_ipv4 }} tsig
{% endfor %} {% endfor %}