82e14dee9c
Ianw noticed problems on fedora29 with unbound. That resulted in a bug filed upstream, https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4226. In this bug the helpful unbound maintainers point out that OpenDNS servers are having trouble with RRSIG records which leads to not validating dnssec which we require in our unbound config. Address this by switching to CloudFlare DNS which is suppsoed to be super localized (aka responsive), and not record queries against it. Also if we want to we can update our config to do dns over tls against these servers. Change-Id: I08ef6a6fba2706803d2e9de6197e0ef8d695e313
1.0 KiB
nodepool-base
Tasks to deal with image metadata and other Nodepool cloud specific tweaks.
Environment variables:
NODEPOOL_SCRIPTDIR path to copy Nodepool scripts from.
It is set automatically by Nodepool. For local hacking override it to
where your scripts are. Default:
$TMP_MOUNT_PATH/opt/git/openstack-infra/project-config/nodepool/scripts.
Name resolution
The image should have the unbound DNS resolver package installed, the
nodepool-base element then configures it to forward DNS
queries to:
NODEPOOL_STATIC_NAMESERVER_V4, default:1.1.1.1NODEPOOL_STATIC_NAMESERVER_V4_FALLBACK, default:8.8.8.8.
If NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6 is set to
1 then the following two servers will be configured as
forwarders too
NODEPOOL_STATIC_NAMESERVER_V6, default:2606:4700:4700::1111NODEPOOL_STATIC_NAMESERVER_V6_FALLBACK, default:2001:4860:4860::8888
Note externally setting either of these values implies
NODEPOOL_STATIC_NAMESERVER_POPULATE_IPV6=1