Getting started with OpenStack Designate

The OpenStack Designate project is the DNS-as-a-Service (DNSaaS) component offered by OpenStack. Designate integrates with DNS servers such as BIND9, PowerDNS, Infoblox in order to provide management of DNS information via REST APIs which are secured by Keystone authentication.

Let us walk through the process of enabling and configuring Designate within a Platform9 Managed OpenStack environment.

Prerequisites

  1. You must have administrative access to a Platform9-managed OpenStack (KVM) environment.
  2. You must have access and required privileges to operate a Supported Designate DNS backend.

Configuring OpenStack Designate

You may configure OpenStack Designate within your Managed OpenStack by completing the following steps.

Step 1: Authorize host with DNS role

In order to integrate Designate with your DNS infrastructure, you must first configure an on-premises compute node to run the Designate software (designate-mdns and designate-worker).

  1. Log in to Platform9 as an administrator.
  2. Click Infrastructure.
  3. Select a compute node on which to install Designate. Click Configure Host > DNS > Make this host a Designate node.
  4. Click Update Designate details.

Designate will now be installed on the selected compute node.

Step 2: Configure Designate backends

After authorizing a Designate host in your environment, you must then configure Designate to interface with one or more DNS servers by modifying Designate's Pools configuration file, pools.yaml.

  1. Login to the compute node running Designate.
  2. Create the directory /etc/designate/.
    mkdir /etc/designate
  3. Create and edit /etc/designate/pools.yaml.

A sample pools.yaml configuration which integrates with BIND9 is shown below.

---
- name: default
  # The name is immutable. There will be no option to change the name after
  # creation and the only way will to change it will be to delete it
  # (and all zones associated with it) and recreate it.
  description: Default BIND9 DNS Pool
  # Attributes are key:value pairs that describe the pool. for example the
  # level of service (i.e. service_tier:GOLD), capabilities (i.e. anycast:
  # true) or other metadata. Users may use this information to point their
  # zones to the correct pool
  attributes: {}
  # List the NS records to be used for zones hosted within this pool.
  ns_records:
    - hostname: ns1.example.org.
      priority: 1
    - hostname: ns2.example.org.
      priority: 2
  # List the nameservers for this pool. These are the secondary nameservers.
  # We use these to verify changes have propagated to all nameservers.
  nameservers:
    - host: 192.0.2.2
      port: 53
    - host: 192.0.2.3
      port: 53
  # List the targets for this pool. For BIND there will be one
  # entry for each authoritative server which will be used to push changes
  # to the servers.
  targets:
    - type: bind9
      description: BIND9 Server 1
      # List the designate-mdns servers from which BIND servers should
      # request zone transfers (AXFRs) from.
      # This should be the IP of the Designate controller node.
      # If you have multiple controllers you may add multiple masters
      # by running designate-mdns on them, and adding them here.
      masters:
        - host: 203.0.113.10
          port: 5354
      # BIND Configuration options.
      # This information will be used to remotely configure the authoritative BIND
      # nameserver via RNDC.
      options:
        host: 203.0.113.10
        port: 53
        rndc_host: 203.0.113.10
        rndc_port: 953
        rndc_key_file: /etc/bind/rndc.key
  # Optional list of additional IP/Port's for which designate-mdns will send
  # DNS NOTIFY packets to
  #also_notifies:
  #  - host: 203.0.113.55
  #    port: 53

After saving this file, update Designate's pool configuration with these changes using the designate-manage utility.

designate-manage pool update

Verifying Designate integration

Once you have configured Designate, verify that it has been properly configured and you are able to successfully provision DNS zones and DNS records.

Step 1: Create DNS zone

In order to test proper integration of Designate with the authoritative name server, let us create an example DNS zone called corp.example.org.

$ openstack zone create --email admin@example.org corp.example.org.
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| action         | CREATE                               |
| attributes     |                                      |
| created_at     | 2017-11-14T05:53:44.000000           |
| description    | None                                 |
| email          | admin@example.org                    |
| id             | 243c9415-c0a9-4271-865d-008cd47ce02c |
| masters        |                                      |
| name           | corp.example.org.                    |
| pool_id        | 794ccc2c-d751-44fe-b57f-8894c9f5c842 |
| project_id     | 5b9f80bc8c0c4944a6243d37ab18f1d6     |
| serial         | 1510638823                           |
| status         | PENDING                              |
| transferred_at | None                                 |
| ttl            | 3600                                 |
| type           | PRIMARY                              |
| updated_at     | None                                 |
| version        | 1                                    |
+----------------+--------------------------------------+

If Designate is properly configured, the zone status should transition to 'ACTIVE' state.

$ openstack zone show corp.example.org. -c name -c status
+--------+-------------------+
| Field  | Value             |
+--------+-------------------+
| name   | corp.example.org. |
| status | ACTIVE            |
+--------+-------------------+

Step 2: Create DNS record

Let us create a DNS 'A' record for www.corp.example.org that points to 198.51.100.10.

$ openstack recordset create corp.example.org. www --type A --records '198.51.100.10'
+-------------+--------------------------------------+
| Field       | Value                                |
+-------------+--------------------------------------+
| action      | CREATE                               |
| created_at  | 2017-11-14T05:58:16.000000           |
| description | None                                 |
| id          | 56bfe172-a220-4527-bfbc-5a1a8d7c701d |
| name        | www.corp.example.org.                |
| project_id  | 5b9f80bc8c0c4944a6243d37ab18f1d6     |
| records     | 198.51.100.10                        |
| status      | PENDING                              |
| ttl         | None                                 |
| type        | A                                    |
| updated_at  | None                                 |
| version     | 1                                    |
| zone_id     | 243c9415-c0a9-4271-865d-008cd47ce02c |
| zone_name   | corp.example.org.                    |
+-------------+--------------------------------------+

Step 3: Verify record existence

Finally, let us verify our DNS record was successfully created.

$ dig www.corp.example.org +short
198.51.100.10

The process of configuring OpenStack Designate for your Platform9 Managed OpenStack Cloud is now complete.

For more information on using and configuring Designate, refer to the OpenStack Designate official documentation.


November 20, 2017