You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Standards/scs-01xx-v1-dns.md
+6-1Lines changed: 6 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,10 +44,12 @@ The standard should make sure that a specified level of DNS functionality can be
44
44
#### Making Designate mandatory
45
45
46
46
To offer a consistent feature set to customers, the SCS project could consider to make Designate mandatory in a sense that SCS-compliant clouds would need to integrate the service, make it available to customers and properly configure it for publishing DNS records.
47
-
This would offer easy DNS-as-a-Service functionality to customers.
47
+
This would offer easy DNS-as-a-Service (DNSaaS) functionality to customers.
48
48
49
49
However, this would also require solid DNS expertise at CSP-side to properly set up and integrate Designate and DNS zones as Designate does not act as a full DNS server on its own but instead relies on external DNS providers or self-hosted DNS infrastructures that the CSP needs to integrate into it.
50
50
51
+
Furthermore, the CSP will need to be aware of threats like [DNS Zone Squatting](https://docs.openstack.org/designate/2024.1/admin/production-guidelines.html#dns-zone-squatting) and [DNS Cache Poisoning](https://docs.openstack.org/designate/2024.1/admin/production-guidelines.html#dns-cache-poisoning) when offering DNSaaS via Designate and mitigate them, further increasing the burden on the CSP.
52
+
51
53
#### Mandating the use of DNSSEC
52
54
53
55
The DNSSEC extension to DNS ensures authenticity and integrity of the data provided to DNS resolvers.
@@ -149,6 +151,8 @@ A CSP MAY choose this setting freely but SHOULD NOT change it after the initial
149
151
The following section only applies to SCS clouds which include the DNS-as-a-Service functionality for customers via the [OpenStack DNS v2 API](https://docs.openstack.org/api-ref/dns/dns-api-v2-index.html), e.g., through Designate.
150
152
All guidelines above still apply.
151
153
154
+
When providing a service like Designate, it MUST be ensured that threats like [DNS Zone Squatting](https://docs.openstack.org/designate/2024.1/admin/production-guidelines.html#dns-zone-squatting) and [DNS Cache Poisoning](https://docs.openstack.org/designate/2024.1/admin/production-guidelines.html#dns-cache-poisoning) are considered and mitigated where possible.
155
+
152
156
In the Networking API, the "dns-domain-ports" extension MUST be enabled to offer the full range of DNS record settings for both ports and networks.
153
157
This is implemented by the `dns_domain_ports` Neutron extension driver for the ML2 plugin.
154
158
See the Internal DNS section above for an example on how to enable an extension driver.
@@ -158,6 +162,7 @@ In Neutron, this can be done by activating either the `subnet_dns_publish_fixed_
158
162
159
163
## Related Documents
160
164
165
+
-[OpenStack Designate Production Guidelines](https://docs.openstack.org/designate/latest/admin/production-guidelines.html)
161
166
-[OpenStack User Guide for basic usage of DNS-as-a-Service with Neutron and Nova resources](https://docs.openstack.org/designate/latest/user/neutron-integration.html)
162
167
-[OpenStack Configuration and User Guide for various DNS-as-a-Service scenarios in Neutron](https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html)
0 commit comments