Cluster information:
Kubernetes version: v1.27.1
Cloud being used: bare-metal
Host OS: Ubuntu 20
CNI and version: calico v3.25.1
CRI and version: containerd://1.6.12z
I am trying to enable DNSSEC for the cluster services, I have generated the keys and have applied it to the Corefile. However after enabling it using the plugin the output is not showing the ad flag.
apiVersion: v1
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30
loop
reload
loadbalance
dnssec cluster.local {
key "cluster.local. IN DNSKEY 256 3 8 AwEAAcc2NC0LdPPUVmxO9UiZwbtxPLpmCrhnD+L4bZRIqir4zLK+eL31 pxcpRtWm9RtX4xXQ+RhmWBJ6I98qnpKGUlsPKJzzLXAavbYUjzLGS9IV t7lYfxNYDwJAGFHd4Osenz+VyyOZ57Vc4BPl7FFiJNiJR1X9EwTPqxvw LiOkLXIVdnIisO5aWPREeCnVGJLRl/D77skw8Is89LTNGStIb2uWfwLX GHuEoSKEnBc9j9h9hSg7oGG/fL5LwDqtQBX5BisW88yj1kZSbeLcZEEh NdDFIEgbSOW6iwjVDlfmy8k9+WohUNh97n2gmilokUaf9bsq+yCiG5BB Dfrvz0EuTOE="
}
}
kind: ConfigMap
; <<>> DiG 9.16.1-Ubuntu <<>> 192-168-235-129.test-pod.default.svc.cluster.local. +dnssec
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21104
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
; OPT=5: 05 07 08 0a 0d 0e 0f (".......")
; OPT=6: 01 02 04 ("...")
; OPT=7: 01 (".")
;; QUESTION SECTION:
;192-168-235-129.test-pod.default.svc.cluster.local. IN A
;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue May 23 02:44:28 UTC 2023
;; MSG SIZE rcvd: 102
Does any of you have an Idea to enable DNSSEC on the cluster services?