I have setup a 3 node consul cluster with ACL set to deny.
Now I’m trying to figure out how to allow me do (anonymous) dns lookups on the whole consul cluster to get a list of A records with all available nodes.
For instance these…
consul acl policy create -name ‘service-consul-read’ -rules ‘service “consul” { policy = “read” }’
consul acl token update -id 00000000-0000-0000-0000-000000000002 --merge-policies -description “Anonymous Token - Can List Nodes” -policy-name service-consul-read
consul acl policy create -name ‘list-all-nodes’ -rules ‘node_prefix “” { policy = “read” }’
consul acl token update -id 00000000-0000-0000-0000-000000000002 -policy-name list-all-nodes -description “Anonymous Token - Can List Nodes”
Allow me to todo lookup on all nodes individually:
dig consul-server01.node.dc01.consul +short
10.20.1.110
dig consul-server02.node.dc01.consul +short
10.20.1.125
dig consul-server03.node.dc01.consul +short
10.20.1.128
When querying for all available nodes at once, I’m just getting NXDOMAIN:
dig consul.service.consul
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> consul.service.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46761
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.service.consul. IN A;; AUTHORITY SECTION:
consul. 0 IN SOA ns.consul. hostmaster.consul. 1579877061 3600 600 86400 0
What did I miss from the configuration?
Works fine when ACL is set to allow.
Thanks!