You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Standards/scs-01xx-v1-dns.md
+17-12Lines changed: 17 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ The Domain Name System (DNS) is used to resolve name records to addresses in Int
12
12
DNS has a variety of use cases in OpenStack infrastructures.
13
13
For basic egress traffic, it is used to enable proper connectivity for customer virtual machines to the outside world by offering DNS servers to them.
14
14
For internal connectivity and discoverability between cloud resources, DNS is used to make virtual machines addressable via their name within tenant networks.
15
-
DNS can also be used to publish DNS records for virtual machines that have external connectivity using the integrating the OpenStack Designate service.
15
+
DNS can also be used to publish DNS records for virtual machines that have external connectivity by integrating and using the OpenStack Designate service.
16
16
17
17
### Glossary
18
18
@@ -57,8 +57,8 @@ This is a direct improvement for customers and yields low complexity for the CSP
57
57
58
58
A local DNS recursor can be used to cache and serve DNS responses locally. It servers as a proxy between the clients and external DNS servers.
59
59
This improves performance and speed of DNS resolution in the infrastructure.
60
-
Furthermore, it can be configured to use DNSSEC, DNS over HTTPS and/or DNS over TLS to increase security and privacy of DNS requests it handles for clients.
61
-
Even if individual clients do not support these functionalities, they can still benefit from a local recursor's implementation of those and don't have to trust external DNS servers directly.
60
+
Furthermore, it can be configured to use DNSSECand DNS over TLS to increase security and privacy of DNS requests it handles for clients.
61
+
Regardless of whether clients within the cloud infrastructure individually support those features or not, they all benefit from a local recursor implementing it as their DNS traffic is then properly protected outside of the infrastructure.
62
62
63
63
As such, the implementation of local DNS recursors in the infrastructure can be very beneficial.
64
64
This standard should consider mandating or at least recommending the use of local DNS recursors for SCS clouds to be configured as the default DNS servers for Neutron resources.
@@ -75,17 +75,22 @@ Forwarded DNS refers to the DNS servers communicated to tenant VMs for DNS resol
75
75
76
76
Internal DNS refers to the DNS resolution that OpenStack Neutron implements internally to make VM instances' addresses resolvable via name within the same tenant network.
77
77
78
-
External DNS refers to the integration of external or public DNS via OpenStack Designate and its publishing of DNS records for VMs that are externally reachable (DNS-as-a-Service functionality).
78
+
DNS-as-a-Service refers to the integration of external or public DNS via OpenStack Designate and its publishing of DNS records for VMs that are externally reachable.
79
79
80
80
### Forwarded DNS
81
81
82
-
A CSP MUST disable the `dnsmasq_local_resolv` setting for Neutron DHCP agents.
83
-
Instead, the setting `dnsmasq_dns_server` MUST be set accordingly:
82
+
- In OVS-based setups, the `dnsmasq_local_resolv` setting for Neutron DHCP agents MUST be disabled.
83
+
- One or more local DNS recursors SHOULD be integrated into the infrastructure.
84
+
- In case one or more local DNS recursors are provided, the *DNS server setting* MUST point to the local DNS recursor(s) only.
85
+
- Any local DNS recursor referenced by the *DNS server setting* MUST implement DNSSEC validation and offer DNSSEC itself.
86
+
- If the cloud infrastructure has any provider networks connected to the internet, then the *DNS server setting* entries MUST contain DNS servers (recursors or resolvers) that are able to resolve public DNS records.
87
+
- If no local DNS recursor is integrated and one or more public DNS server(s) are referenced in the *DNS server setting*, all referenced public DNS servers MUST offer DNSSEC as well as validate DNSSEC themselves and discard invalid responses.
88
+
89
+
The *DNS server setting* refers to the following:
90
+
91
+
- In OVS-based setups, the `dnsmasq_dns_servers` setting in the `[DEFAULT]` section of the `dhcp_agent.ini` for all Neutron DHCP agents.
92
+
- In OVN-based setups, the `dns_servers` setting in the `[ovn]` section of `ml2_conf.ini`.
84
93
85
-
- One or more local DNS recursors SHOULD be integrated into the infrastructure and the `dnsmasq_dns_server` setting SHOULD point to the local DNS recursor(s) only.
86
-
- Any local DNS recursor referenced by the `dnsmasq_dns_server` setting MUST implement DNSSEC validation.
87
-
- If the cloud infrastructure has any provider networks connected to the internet, then the `dnsmasq_dns_server` entries MUST contain DNS servers (recursors or resolvers) that can resolve public DNS records.
88
-
- If no local DNS recursor is integrated and one or more public DNS server(s) are referenced in `dnsmasq_dns_server`, public DNS servers that do not offer DNSSEC MUST NOT be included.
The `dns_domain` setting in the global Neutron configuration will act as the default domain name for any ports created by users unless overridden by explicit network or port settings.
108
-
A CSP MAY change this setting freely.
113
+
A CSP MAY choose this setting freely but SHOULD NOT change it after the initial deployment of the cloud.
109
114
110
-
### External DNS
115
+
### DNS-as-a-Service
111
116
112
117
The following section only applies to SCS clouds which include the DNS service Designate and offer its functionality and API to customers.
0 commit comments