Designate provides DNS as a Service in OpenStack
Central Register
User's Cooperation
The user's cooperation is required as soon as the provider provides the Designate infrastructure for the cloud as described. This much is clear: For Designate to work for a domain, the domain needs to be configured with the responsible registry so that its NS records actually point to the Designate name servers. Designate therefore assumes control over the domain in this scenario. Anyone who wants to avoid this can, of course, also work using sub-delegations: DNS for the subdomain cloud.example.com
could be delegated to Designate while the normal name servers take care of the rest of the domain, for example.
The setup of domains by users with the Designate command-line client provided is simple. Using
designate domain-create --name example. com. --email email@example.com
the user can create a domain (Figure 2). The tool output then displays an ID, which is important. The user needs this domain ID to create DNS entries for VMs:
designate record-create 5849251B-832E-4521-94ED-92EB3D191DC4 --name www.example.com. --type A --data 192.0.2.1
This example shows that the domain name www.example.com receives an A record for the address 192.168.2.1 . To set the PTR record for a cloud floating IP, an ID is required – specifically, that of the floating IP. This ID is displayed on either the dashboard or the command line. The command is
openstack ptr record set <ID> <PTR record>
where <ID>
and <PTR record>
must be replaced with the appropriate values.
If necessary, the user can adjust the network to automate the process. When setting up the domain, the parameter for neutron
can be used to define the DNS domain to which the network is to be connected.
Discover the Possibilities
Designate's scope of functions goes far beyond creating DNS and PTR records. One example is controlling zone transfers: Anyone who wants to execute an AXFR transfer for a specific domain can do so for the respective zone with:
designate zone axfr
The blacklist zones are also interesting. Using regular expressions, you can define strings that must not appear in domain names.
Anyone who wants to prevent their own cloud websites from having obscene words in the DNS name can enter them in the Designate blacklist. An attempt to create a domain that matches a pattern on the blacklist will fail with an HTTP 400 error, and the corresponding error message will appear. Only admins can create or manage blacklist domains.
A GUI for Designate
In this article, I have shown how to create entries both for host names and IP addresses from the command line using the Designate API. What hasn't been mentioned thus far is the plugin that Designate needs to integrate into the OpenStack dashboard, Horizon. Unfortunately, integrating Designate into the central OpenStack GUI is not a notable tale: The first work began in 2014, and an abandoned merge request in the OpenStack project review system [3] indicates that for more than two years Designate should have been familiar with Horizon.
However, the merge request was blocked because of various errors, and the original author probably hasn't found the time to start on it again. The good news is that work is continuing on the Designate dashboard, although it currently only exists as an out-of-tree development on GitHub [4].
The installation instructions that can be found there mention installing the plugin with the setup.py
script. That is a level of tinkering that nobody wants to take responsibility for in production environments. However, anyone using Ubuntu has little choice: Canonical only packages those OpenStack items that are officially a part of OpenStack.
Annoyed admins have little choice but to build the package themselves. Nevertheless, the developers should see that the Designate plugin soon becomes part of Horizon to eliminate the need for this kind of tinkering (Figure 3).
Buy this article as PDF
(incl. VAT)