Replace bind with knot-resolver as the recursive resolver on the routers#1846
Replace bind with knot-resolver as the recursive resolver on the routers#1846sysvinit wants to merge 13 commits intofc-25.05-devfrom
Conversation
nixos/platform/network.nix
Outdated
| "ndots:1" | ||
| "timeout:1" | ||
| "attempts:6" | ||
| "timeout:5" # in correspondence with rfc8767 |
There was a problem hiding this comment.
ah, i remember: this isn't quite in correspondence. rfc8767 suggests 2 as a common option, but we can't use 2 because kresd isn't able to stale timeout in 1.8 seconds due to granularity.
| view:addr('127.0.0.0/8', policy.all(policy.PASS)) | ||
| view:addr('::1/128', policy.all(policy.PASS)) | ||
|
|
||
| ${lib.concatMapStringsSep "\n" ( |
There was a problem hiding this comment.
I was wondering whether this will cause unnecessary hard reloads. I was considering to put this into firewalling code instead if it does.
There was a problem hiding this comment.
Well, the short answer is yes, this will cause a restart (not a reload) if the list changes. It's possible that kresd might restart fast enough for this to not be a problem, though this is indeed something which has bitten us with bind in the past.
As for the firewalling... if we put the list of allowed IP ranges in the firewall, then changing the allowed IPs will cause a firewall reload, which on the routers usually causes the BGP sessions to go down and cause a failover due to the BFD getting interrupted. I presume by "put this into firewalling" you mean restrict access to DNS to only "downstream" interfaces, and e.g. dropping incoming DNS from the transfer/uplink interfaces?
There was a problem hiding this comment.
multi instance (4?) + execstop with jittered pause?
nixos/roles/router/kresd/default.nix
Outdated
| -- ensure that the hosts file can be reloaded by sighup at runtime. | ||
|
|
||
| local function load_private_hosts() | ||
| hints.add_hosts('/etc/nixos/rfc1918-hosts') |
There was a problem hiding this comment.
does this remove outdated hosts?
nixos/roles/router/kresd/default.nix
Outdated
| -- long enough to trigger the stale serving behaviour. we match the | ||
| -- rfc for the stale serving timeout though so we get the benefits | ||
| -- if the granularity changes in the future. | ||
| serve_stale.timeout = 1800 |
Add helper script which generates a hosts(5) file for assignments for private RFC1918 addresses. PL-134065
Add Cloudflare and Google to the list in addition to Quad9. PL-134065 Co-authored-by: Christian Theune <ct@flyingcircus.io>
PL-134065 Co-authored-by: Christian Theune <ct@flyingcircus.io>
This removes authoritative DNS for gocept.net from the routers and replaces bind with kresd as the site resolver. PL-134065
kresd doesn't natively support runtime reloads, however the Lua scripting is flexible enough to permit implementing this ourselves. PL-134065
ctheune
force-pushed
the
PL-134065-replace-bind-kresd
branch
from
b4a1705 to
e0786b6
Compare
2 participants
PL-134065
@flyingcircusio/release-managers
Release process
./changelog.shPR release workflow (internal)
Design notes
onoroff. Example: rate limiting.Security implications