Add DNSStaticResolver option #7336
Conversation
|
@mcpherrinm, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values. |
|
I'd thought about reverting the removal of the DNSResolvers config, but that ended up gnarlier for a few reasons: It was removed before config validation, so we'd end up resolving conflicts and then editing to make it more like this anyways. Also, I think it's clearer if we explicitly name the config option as "static" to make sure it's distinguished from the dynamic provider we use with consul-discovered dns servers |
There was a problem hiding this comment.
Looks good, just a couple of comments. Also, we should probably remove the "doh" service from consul if it's no longer in use. The bit you're looking for is here:
services {
id = "doh-a"
name = "doh"
address = "10.77.77.77"
port = 8343
tags = ["tcp"]
}
services {
id = "doh-b"
name = "doh"
address = "10.77.77.77"
port = 8443
tags = ["tcp"]
}
Co-authored-by: Samantha <[email protected]>
The idea here is to use the static resolver for the RVAs (which will have colocated Unbounds), and the SRV resolver for the on-prem VAs. So we'll be exercising both code paths and still want DOH configured. |
Cool, thanks for clearing that up! |
There was a problem hiding this comment.
Looks good to me modulo @beautifulentropy's remaining open comment #7336 (comment).
We run the RVAs in AWS, where we don't have all the same service discovery infrastructure we do for the primary VAs and the rest of Boulder. The solution for populating SRV records we have today hasn't been reliable, so we'd like to experiment with bringing up RVAs paired 1:1 with a local DNS resolver. This brings back some of the previous static DNS resolver configuration, though it's not a clean revert because other configuration has changed in the meantime