From 0746dc187bb43d55f0f7bee1ec168aa0be5eb6be Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Wed, 28 Oct 2020 13:29:15 +1100
Subject: [PATCH] nameserver: Allow master server to notify via ipv6

Logs show that the nameservers are being notified via ipv6 and
rejecting the request:

  nsd[18851]: notify for acme.opendev.org. \
   from 2001:4800:7819:104:be76:4eff:fe04:43d0 refused, no acl matches.

Modify the nsd ACL to allow the ipv6 of the master to trigger updates.
This is important for the letsencrypt process, where we need the
acme.opendev.org domain updated in a timely fashion so that TXT
authentication works.

Change-Id: I785f9636dd05e15b8ffd211845f439be7e8344a3
---
 inventory/service/group_vars/dns.yaml            | 3 ++-
 playbooks/roles/nameserver/README.rst            | 8 ++++++--
 playbooks/roles/nameserver/templates/nsd.conf.j2 | 5 +++--
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/inventory/service/group_vars/dns.yaml b/inventory/service/group_vars/dns.yaml
index e331b5d7eb..8342e109a0 100644
--- a/inventory/service/group_vars/dns.yaml
+++ b/inventory/service/group_vars/dns.yaml
@@ -16,4 +16,5 @@ dns_zones:
 dns_notify:
   - 104.239.140.165
   - 162.253.55.16
-dns_master: 104.239.146.24
+dns_master_ipv4: 104.239.146.24
+dns_master_ipv6: 2001:4800:7819:104:be76:4eff:fe04:43d0
diff --git a/playbooks/roles/nameserver/README.rst b/playbooks/roles/nameserver/README.rst
index 353bfe6772..f26a76cf77 100644
--- a/playbooks/roles/nameserver/README.rst
+++ b/playbooks/roles/nameserver/README.rst
@@ -37,6 +37,10 @@ nameserver.
       located at ``zones/example_com/zone.db``, then the value here
       should be ``example.com/zones/example_com``.
 
-.. zuul:rolevar:: dns_master
+.. zuul:rolevar:: dns_master_ipv4
 
-   The IP addresses of the master nameserver.
+   Required argument.  The IPv4 addresses of the master nameserver.
+
+.. zuul:rolevar:: dns_master_ipv6
+
+   Required argument.  The IPv6 addresses of the master nameserver.
diff --git a/playbooks/roles/nameserver/templates/nsd.conf.j2 b/playbooks/roles/nameserver/templates/nsd.conf.j2
index 29ddc54b49..5a56d0ef60 100644
--- a/playbooks/roles/nameserver/templates/nsd.conf.j2
+++ b/playbooks/roles/nameserver/templates/nsd.conf.j2
@@ -35,6 +35,7 @@ key:
 {% for zone in dns_zones %}
 zone:
     name: {{ zone.name }}
-    allow-notify: {{ dns_master }} NOKEY
-    request-xfr: AXFR {{ dns_master }} tsig
+    allow-notify: {{ dns_master_ipv4 }} NOKEY
+    allow-notify: {{ dns_master_ipv6 }} NOKEY
+    request-xfr: AXFR {{ dns_master_ipv4 }} tsig
 {% endfor %}