Primary DNS Instances

Primary DNS instances are authoritative DNS servers that host the master copies of your DNS zones. They are the source of truth for DNS data and handle zone updates.

Creating a Primary Instance

Here’s a basic example of a primary DNS instance:

apiVersion: bindy.firestoned.io/v1alpha1
kind: Bind9Instance
metadata:
  name: primary-dns
  namespace: dns-system
  labels:
    dns-role: primary
    environment: production
spec:
  replicas: 2
  version: "9.18"
  config:
    recursion: false
    allowQuery:
      - "0.0.0.0/0"
    allowTransfer:
      - "10.0.0.0/8"  # Allow zone transfers to secondary servers
    dnssec:
      enabled: true
      validation: true

Apply it with:

kubectl apply -f primary-instance.yaml

Configuration Options

Replicas

The replicas field controls how many BIND9 pods to run:

spec:
  replicas: 2  # Run 2 pods for high availability

BIND9 Version

Specify the BIND9 version to use:

spec:
  version: "9.18"  # Use BIND 9.18

Query Access Control

Control who can query your DNS server:

spec:
  config:
    allowQuery:
      - "0.0.0.0/0"      # Allow queries from anywhere
      - "10.0.0.0/8"     # Or restrict to specific networks

Zone Transfer Control

Restrict zone transfers to authorized servers (typically secondaries):

spec:
  config:
    allowTransfer:
      - "10.0.0.0/8"     # Allow transfers to secondary network
      - "192.168.1.0/24" # Or specific secondary server network

DNSSEC Configuration

Enable DNSSEC signing and validation:

spec:
  config:
    dnssec:
      enabled: true      # Enable DNSSEC signing
      validation: true   # Enable DNSSEC validation

Recursion

Primary authoritative servers should disable recursion:

spec:
  config:
    recursion: false  # Disable recursion for authoritative servers

Labels

Use labels to organize and select instances:

metadata:
  labels:
    dns-role: primary        # Indicates this is a primary server
    environment: production  # Environment designation
    region: us-east-1       # Geographic location

These labels are used by DNSZone resources to select which instances should host their zones.

Verifying Deployment

Check the instance status:

kubectl get bind9instances -n dns-system
kubectl describe bind9instance primary-dns -n dns-system

Check the created resources:

# View the deployment
kubectl get deployment -n dns-system -l instance=primary-dns

# View the pods
kubectl get pods -n dns-system -l instance=primary-dns

# View the service
kubectl get service -n dns-system -l instance=primary-dns

Testing DNS Resolution

Once deployed, test DNS queries:

# Get the service IP
SERVICE_IP=$(kubectl get svc -n dns-system primary-dns -o jsonpath='{.spec.clusterIP}')

# Test DNS query
dig @$SERVICE_IP example.com

Next Steps

Create DNS Zones to host on this instance
Setup Secondary Instances for redundancy
Configure Multi-Region Setup for geographic distribution

Keyboard shortcuts

Bindy - BIND9 DNS Controller for Kubernetes