<tt><font size=2>"Hayes, Graham" <graham.hayes@hpe.com>
wrote on 05/09/2016 03:00:34 PM:<br><br>> From: "Hayes, Graham" <graham.hayes@hpe.com></font></tt><br><tt><font size=2>> To: "OpenStack Development Mailing List
(not for usage questions)" <br>> <openstack-dev@lists.openstack.org></font></tt><br><tt><font size=2>> Date: 05/09/2016 03:05 PM</font></tt><br><tt><font size=2>> Subject: Re: [openstack-dev] [neutron] [designate]
multi-tenancy in <br>> Neutron's DNS integration</font></tt><br><tt><font size=2>> <br>> On 09/05/2016 19:21, Mike Spreitzer wrote:<br>> > I just read<br>> > </font></tt><a href="http://docs.openstack.org/mitaka/networking-guide/adv-config-dns.htmland"><tt><font size=2>http://docs.openstack.org/mitaka/networking-guide/adv-config-dns.htmland</font></tt></a><tt><font size=2><br>> , unless<br>> > I missed something, it seems to be describing something that
is not<br>> > multi-tenant. I am focused on FQDNs for Neutron Ports.
For those, only<br>> > the "hostname" part (the first label, in official DNS
jargon) is<br>> > controllable by the Neutron user, the rest of the FQDN is fixed
in<br>> > Neutron configuration. Have I got that right? If
so then I am<br>> > surprised. I would have expected something that isolates
tenants<br>> > (projects) from one another. Is there any interest in such
a thing?<br>> ><br>> > Thanks,<br>> > Mike<br>> <br>> ...<br>> <br>> If you have per-project networks the integration can be done on a<br>> project by project basis, with floating IPs assigned the name from<br>> the port and the zone from the private network.<br></font></tt><br><tt><font size=2>Oh, right, the network gets to specify the rest of
the FQDN. In my case I am interested in Neutron Ports on tenant networks.
So with a per-port "hostname" (first label) and per-network
"domain" (rest of the labels), I would get separation between
tenants --- at least in the sense that there is no overlap in FQDNs. Will
this work for private tenant networks?</font></tt><br><br><tt><font size=2>The other part of separation is that I do not want
one tenant to even be able to look up FQDNs that belong to another tenant.
Is this prohibition possible today? If not, is anyone else
interested in it?</font></tt><br><br><tt><font size=2>Thanks,</font></tt><br><tt><font size=2>Mike</font></tt><br><br><BR>