Creating Zones¶
Learn how to create DNS zones in Bindy and deploy them to BIND9 instances.
Zone Architecture¶
Architecture: In Bindy, zones select instances (not the other way around). A
DNSZoneresource declares whichBind9Instanceresources should serve it.
Zones in Bindy follow a three-tier model:
- Bind9Cluster - Cluster-level configuration (version, shared config, TSIG keys)
- Bind9Instance - Individual BIND9 server deployment (references a cluster)
- DNSZone - DNS zone (selects instances via
clusterReforbind9InstancesFrom)
Prerequisites¶
Before creating a zone, ensure you have:
- A Bind9Cluster resource deployed
- A Bind9Instance resource deployed (referencing the cluster)
- The instance is ready and running
Creating a Primary Zone¶
First, ensure you have a cluster and instance:
# Step 1: Create a Bind9Cluster (if not already created)
apiVersion: bindy.firestoned.io/v1beta1
kind: Bind9Cluster
metadata:
name: production-dns
namespace: dns-system
spec:
version: "9.18"
global:
recursion: false
allowQuery:
- "0.0.0.0/0"
allowTransfer:
- "10.0.0.0/8"
---
# Step 2: Create a Bind9Instance (if not already created)
apiVersion: bindy.firestoned.io/v1beta1
kind: Bind9Instance
metadata:
name: primary-dns
namespace: dns-system
spec:
clusterRef: production-dns # References the Bind9Cluster above
role: primary
replicas: 1
---
# Step 3: Create the DNSZone
apiVersion: bindy.firestoned.io/v1beta1
kind: DNSZone
metadata:
name: example-com
namespace: dns-system
spec:
zoneName: example.com
clusterRef: production-dns # Selects all instances with spec.clusterRef: production-dns
soaRecord:
primaryNs: ns1.example.com.
adminEmail: admin.example.com. # Note: @ replaced with .
serial: 2024010101
refresh: 3600
retry: 600
expire: 604800
negativeTtl: 86400
ttl: 3600
Instance Selection Methods¶
There are three ways to deploy a zone to instances:
Method 1: Cluster Reference (Simplest)¶
Reference a cluster, and the zone will be served by all instances in that cluster:
Method 2: Label Selectors (Most Flexible)¶
Use label selectors to choose instances based on labels:
apiVersion: bindy.firestoned.io/v1beta1
kind: DNSZone
metadata:
name: example-com
namespace: dns-system
labels:
zone: example.com
spec:
zoneName: example.com
bind9InstancesFrom:
- selector:
matchLabels:
dns-role: primary
environment: production
soaRecord:
primaryNs: ns1.example.com.
adminEmail: admin.example.com.
serial: 2024010101
ttl: 3600
This deploys the zone to all instances with both labels.
Method 3: Combined (Most Control)¶
Use both methods - the zone will be served by the UNION of instances from both:
For detailed guidance, see Zone Selection Guide.
How It Works¶
When you create a DNSZone:
- Zone selects instances - Operator evaluates
clusterRefand/orbind9InstancesFromto select instances - Deduplicates instances - If using both methods, duplicates are removed (UID-based)
- For each selected instance:
- Retrieves bindcar HTTP API endpoint for the instance
- Sends zone configuration via
POST /api/v1/zones - Bindcar updates BIND9 configuration and reloads
- Updates instance status in
status.bind9Instances[] - Computes status - Sets
bind9InstancesCountfrom array length - Sets conditions - Updates Ready/Progressing/Degraded conditions
Verifying Zone Creation¶
Check the zone status:
Expected output:
The Instances column shows how many Bind9Instance resources are serving the zone.
View detailed status:
Expected status output:
Status:
Bind9 Instances:
Name: primary-dns
Namespace: dns-system
Status: Configured
Message: Zone synchronized successfully
Bind9 Instances Count: 1
Conditions:
Type: Ready
Status: True
Reason: InstancesSynchronized
Message: Zone configured on 1 instance
Record Count: 0
Key status fields: - bind9InstancesCount: Number of instances serving the zone - bind9Instances[]: List of instances with their sync status - recordCount: Number of DNS records in the zone - conditions: Ready/Progressing/Degraded status
Next Steps¶
- Add DNS Records to your zone
- Configure Zone Transfers for secondaries
- Learn about Communication Protocols - RNDC and HTTP API