Stop using OpenDNS
Ianw noticed problems on fedora29 with unbound. That resulted in a bug filed upstream, https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4226. In this bug the helpful unbound maintainers point out that OpenDNS servers are having trouble with RRSIG records which leads to not validating dnssec which we require in our unbound config. Address this by switching to CloudFlare DNS which is suppsoed to be super localized (aka responsive), and not record queries against it. Also if we want to we can update our config to do dns over tls against these servers. Change-Id: I08ef6a6fba2706803d2e9de6197e0ef8d695e313
This commit is contained in:
parent
e3e36f3093
commit
82e14dee9c
|
@ -18,13 +18,13 @@ The image should have the unbound DNS resolver package installed, the
|
|||
``nodepool-base`` element then configures it to forward DNS queries
|
||||
to:
|
||||
|
||||
``NODEPOOL_STATIC_NAMESERVER_V4``, default: ``208.67.222.222``
|
||||
``NODEPOOL_STATIC_NAMESERVER_V4``, default: ``1.1.1.1``
|
||||
``NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK``, default: ``8.8.8.8``.
|
||||
|
||||
If ``NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6`` is set to ``1`` then
|
||||
the following two servers will be configured as forwarders too
|
||||
|
||||
``NODEPOOL_STATIC_NAMESERVER_V6``, default: ``2620:0:ccc::2``
|
||||
``NODEPOOL_STATIC_NAMESERVER_V6``, default: ``2606:4700:4700::1111``
|
||||
``NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK``, default: ``2001:4860:4860::8888``
|
||||
|
||||
Note externally setting either of these values implies
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
export NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2620:0:ccc::2}
|
||||
export NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-208.67.222.222}
|
||||
export NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2606:4700:4700::1111}
|
||||
export NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-1.1.1.1}
|
||||
export NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK:-2001:4860:4860::8888}
|
||||
export NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK:-8.8.8.8}
|
||||
|
|
|
@ -31,7 +31,7 @@ set -e
|
|||
# [1] http://git.openstack.org/cgit/openstack-infra/openstack-zuul-jobs/tree/roles/configure-unbound
|
||||
#
|
||||
|
||||
NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-208.67.222.222}
|
||||
NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-1.1.1.1}
|
||||
NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK:-8.8.8.8}
|
||||
|
||||
# Explicitly setting a v6 nameserver implies you want ipv6
|
||||
|
@ -40,7 +40,7 @@ if [[ -n ${NODEPOOL_STATIC_NAMESERVER_V6:-} || -n ${NODEPOOL_STATIC_NAMESERVER_V
|
|||
fi
|
||||
|
||||
if [[ ${NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6:-0} == 1 ]]; then
|
||||
NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2620:0:ccc::2}
|
||||
NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2606:4700:4700::1111}
|
||||
NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK:-2001:4860:4860::8888}
|
||||
|
||||
dd of=/tmp/forwarding.conf <<EOF
|
||||
|
|
Loading…
Reference in New Issue