[dev][designate][dns] Adding private DNS feature

Michael Johnson johnsomor at gmail.com
Fri Jul 22 17:34:26 UTC 2022

Hi Danny,

Ok, I think I have a bit better understanding of what you are
interested in accomplishing.

I see two different "features" in there, both of which have been
talked about in the designate community.

1. Shared zones - Setup a zone that can be shared across projects.
2. DNS Views/Split horizon - Zones that return different answers based
on ACLs such that an "internal" query may get a private address, but
an "external" query may get a public address answer.

Shared zones have some proposed patches and are close to ready. It
just needs to be updated to account for the new "secure RBAC"
community goal[1] and some review/test work.
At the PTG we agreed that this patch set should be a priority to
finish up, but many of us have had downstream work that has postponed
starting work on this.

DNS Views has a specification and some patches, but based on community
feedback this approach is not going to work (major performance impact
and will not work for many deployment scenarios). The patches have
been abandoned by the developer. I think we need to restart the
specification process on this feature before moving forward with it.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

So, yes, there is community interest. I look forward to seeing what
you are proposing and to see if we can align those needs with the
above two features.


On Wed, Jul 20, 2022 at 3:46 PM Danny Webb <Danny.Webb at thehutgroup.com> wrote:
> We're thinking more of a private view available to individual or shared amongst a defined set of tenants.  Loosely something akin to having amphora that serve up internal DNS that can be shared among one or more tenants with a deep integration into nova/neutron.  Use case would be for example a enterprise that utilises many projects for various teams but wants to offer a single DNS domain across projects that isn't externally facing.  We'll flush out a better use case and proposed architecture in the coming weeks, we're just putting some feelers out to see if this kind of thing was of any interest or use to others.
> ________________________________
> From: Michael Johnson <johnsomor at gmail.com>
> Sent: 20 July 2022 22:59
> To: Sergey Drozdov <sergey.drozdov.dev at gmail.com>
> Cc: openstack-discuss <openstack-discuss at lists.openstack.org>
> Subject: Re: [dev][designate][dns] Adding private DNS feature
> CAUTION: This email originates from outside THG
> Hi Sergey,
> Can you tell me a little bit more about what you want to accomplish?
> Private DNS can mean different things, such as DNS-over-TLS,
> DNS-over-HTTPS, split views, etc.
> Michael
> On Wed, Jul 20, 2022 at 12:51 PM Sergey Drozdov
> <sergey.drozdov.dev at gmail.com> wrote:
> >
> > Dear Sir/Madam,
> >
> > We are running OpenStack at scale and now have a requirement to have private DNS and were wondering if the designate team have any appetite for this? If yes, then further discussion is warranted as we would be happy to get the ball rolling on this.
> >
> > Best Regards,
> > Sergey Drozdov
> > Software Engineer
> > The Hut Group
> Danny Webb
> Principal OpenStack Engineer
> The Hut Group
> Tel:
> Email: Danny.Webb at thehutgroup.com
> For the purposes of this email, the "company" means The Hut Group Limited, a company registered in England and Wales (company number 6539496) whose registered office is at Fifth Floor, Voyager House, Chicago Avenue, Manchester Airport, M90 3DQ and/or any of its respective subsidiaries.
> Confidentiality Notice
> This e-mail is confidential and intended for the use of the named recipient only. If you are not the intended recipient please notify us by telephone immediately on +44(0)1606 811888 or return it to us by e-mail. Please then delete it from your system and note that any use, dissemination, forwarding, printing or copying is strictly prohibited. Any views or opinions are solely those of the author and do not necessarily represent those of the company.
> Encryptions and Viruses
> Please note that this e-mail and any attachments have not been encrypted. They may therefore be liable to be compromised. Please also note that it is your responsibility to scan this e-mail and any attachments for viruses. We do not, to the extent permitted by law, accept any liability (whether in contract, negligence or otherwise) for any virus infection and/or external compromise of security and/or confidentiality in relation to transmissions sent by e-mail.
> Monitoring
> Activity and use of the company's systems is monitored to secure its effective use and operation and for other lawful business purposes. Communications using these systems will also be monitored and may be recorded to secure effective use and operation and for other lawful business purposes.
> hgvyjuv

More information about the openstack-discuss mailing list