From 82e14dee9c747a918a5535c4a94004cb563e5a99 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Fri, 8 Feb 2019 09:32:38 -0800 Subject: [PATCH] Stop using OpenDNS Ianw noticed problems on fedora29 with unbound. That resulted in a bug filed upstream, https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4226. In this bug the helpful unbound maintainers point out that OpenDNS servers are having trouble with RRSIG records which leads to not validating dnssec which we require in our unbound config. Address this by switching to CloudFlare DNS which is suppsoed to be super localized (aka responsive), and not record queries against it. Also if we want to we can update our config to do dns over tls against these servers. Change-Id: I08ef6a6fba2706803d2e9de6197e0ef8d695e313 --- nodepool/elements/nodepool-base/README.rst | 4 ++-- .../elements/nodepool-base/environment.d/75-nodepool-base-env | 4 ++-- nodepool/elements/nodepool-base/finalise.d/89-unbound | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nodepool/elements/nodepool-base/README.rst b/nodepool/elements/nodepool-base/README.rst index 703ae79415..5dec06ee4a 100644 --- a/nodepool/elements/nodepool-base/README.rst +++ b/nodepool/elements/nodepool-base/README.rst @@ -18,13 +18,13 @@ The image should have the unbound DNS resolver package installed, the ``nodepool-base`` element then configures it to forward DNS queries to: - ``NODEPOOL_STATIC_NAMESERVER_V4``, default: ``208.67.222.222`` + ``NODEPOOL_STATIC_NAMESERVER_V4``, default: ``1.1.1.1`` ``NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK``, default: ``8.8.8.8``. If ``NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6`` is set to ``1`` then the following two servers will be configured as forwarders too - ``NODEPOOL_STATIC_NAMESERVER_V6``, default: ``2620:0:ccc::2`` + ``NODEPOOL_STATIC_NAMESERVER_V6``, default: ``2606:4700:4700::1111`` ``NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK``, default: ``2001:4860:4860::8888`` Note externally setting either of these values implies diff --git a/nodepool/elements/nodepool-base/environment.d/75-nodepool-base-env b/nodepool/elements/nodepool-base/environment.d/75-nodepool-base-env index 8ab773ca97..594e5e7fa8 100644 --- a/nodepool/elements/nodepool-base/environment.d/75-nodepool-base-env +++ b/nodepool/elements/nodepool-base/environment.d/75-nodepool-base-env @@ -1,4 +1,4 @@ -export NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2620:0:ccc::2} -export NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-208.67.222.222} +export NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2606:4700:4700::1111} +export NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-1.1.1.1} export NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK:-2001:4860:4860::8888} export NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK:-8.8.8.8} diff --git a/nodepool/elements/nodepool-base/finalise.d/89-unbound b/nodepool/elements/nodepool-base/finalise.d/89-unbound index 9fe3973354..af91481274 100755 --- a/nodepool/elements/nodepool-base/finalise.d/89-unbound +++ b/nodepool/elements/nodepool-base/finalise.d/89-unbound @@ -31,7 +31,7 @@ set -e # [1] http://git.openstack.org/cgit/openstack-infra/openstack-zuul-jobs/tree/roles/configure-unbound # -NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-208.67.222.222} +NODEPOOL_STATIC_NAMESERVER_V4=${NODEPOOL_STATIC_NAMESERVER_V4:-1.1.1.1} NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK:-8.8.8.8} # Explicitly setting a v6 nameserver implies you want ipv6 @@ -40,7 +40,7 @@ if [[ -n ${NODEPOOL_STATIC_NAMESERVER_V6:-} || -n ${NODEPOOL_STATIC_NAMESERVER_V fi if [[ ${NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6:-0} == 1 ]]; then - NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2620:0:ccc::2} + NODEPOOL_STATIC_NAMESERVER_V6=${NODEPOOL_STATIC_NAMESERVER_V6:-2606:4700:4700::1111} NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK=${NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK:-2001:4860:4860::8888} dd of=/tmp/forwarding.conf <