Friday, 2024-01-19

« Thursday, 2024-01-18 Index Saturday, 2024-01-20 »
elvsp1nHi Gents00:14
elvsp1nI am looking at the documentation for reverse dns using designate00:17
elvsp1nhttps://docs.openstack.org/designate/latest/user/manage-ptr-records.html00:17
eanderssonIf you want to integrate it with Neutron you can look at this guide too https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html#config-dns-int-ext-serv00:20
eanderssonhttps://docs.openstack.org/neutron/latest/admin/config-dns-int.html00:20
elvsp1nI have it integrated with neuntron already00:21
elvsp1nhere is the problem00:21
elvsp1nit seems like designate was not created to work with subnet smaller than /24, meaning that if I get a public subnet delegated of /25 using 98.91.186.0/25, designate won't allow me to create a zone with / on its name00:21
elvsp1nfor example, trying to create this zone: 0/25.186.91.98.in-addr.arpa. it says that the name is invalid00:22
johnsomThat is a setting in the neutron extension00:24
elvsp1nafter att delegated my static block of ip to my dns, doing a reverse dns it returns 93.186.91.98.in-addr.arpa. 86400 INCNAME93.0/25.186.91.98.in-addr.arpa.00:25
elvsp1njohnsom, I saw that as well but here is what the description says:00:25
elvsp1nipv4-ptr-zone-prefix-size:      default: 24     description: |       The size in bits of the prefix for the IPv4 reverse lookup (PTR) zones.       Valid size has to be multiple of 8, with maximum value of 24 and minimum       value of 8.       .       NOTE: Use only when "reverse-dns-lookup" option is set to "True".     source: default     type: int     value: 2400:27
elvsp1njuju config neutron-api00:27
elvsp1ndefault: 2400:27
elvsp1ndescription: |00:28
elvsp1nThe size in bits of the prefix for the IPv4 reverse lookup (PTR) zones.       Valid size has to be multiple of 8, with maximum value of 24 and minimum       value of 8.       .       NOTE: Use only when "reverse-dns-lookup" option is set to "True".00:28
elvsp1nValid size has to be multiple of 8, with a maximum value of 24......00:28
elvsp1nneutron-api won't allow me to use 2500:28
elvsp1ndesignate allow me to create a zone with - on it, for example: 0-127.186.91.98.in-addr.arpa.00:32
elvsp1nbut when att return the CNAME 93.0/25.186.91.98.in-addr.arpa. , designate do not respond to the query00:32
elvsp1nI have designate integrated with designate-bind00:33
elvsp1nI was able to deploy another server with bind9 only and was able to create a zone with the name 0/25.186.91.98.in-addr.arpa. which return the ptr record defined00:34
elvsp1nwhich mean that bind9 support it without problems, my question is, why designate doesn't? or if there is a way to make it accept it, how I might be able to do it?00:35
johnsomSmaller values in neutron means it makes more granular zones in designate00:45
elvsp1njohnsom, are you sure about it? My understanding is that the configuration for neutron-api ipv4-ptr-zone-prefix-size is related to the Netmask Length (also called a prefix) which mean that 24 = 0-255 (or 256 ips), 16 = 65,536 ips and 8 = 16,777,216 ips......00:53
elvsp1nI currently have assigned a block of 128 ips (/25), can you share an example of what you mean by your statement: "Smaller values in neutron means it makes more granular zones in designate" ?00:55
johnsomI am not 100% sure as I have not used that extension much. But it should be able to handle small subnets. We do in designate00:57
elvsp1nI undestand, do you have a public ip with a subnet smaller than 256 ip (/24) that I can query to see if the reverse dns is actually working having the subnet delegated from an ISP by returning a CNAME with the information about the subnet delegation?01:05
elvsp1nbtw johnsom, I am currently able to define my external subnet (/25) in neutron, I am able to get a floating ip and it works as expected and also, designate creates the ptr record for reverse dns without problems. The issue comes when the subnet is delegated from the ISP, as they are only able to allocate /25 subnets, having them delegate my /25 subnet to my dns (designate-bind), in order to make it work with all public dns, I need to create a zone as01:06
elvsp1n0/25.186.91.98.in-addr.arpa.01:06
elvsp1nhere is an example that you can take a look at01:07
elvsp1nin your computer (terminal), having it connected to the internet, run the following:01:07
elvsp1ndig mail.development.us-east.os.neosllc.org01:09
elvsp1nnotice that it respond with the public ip allocated through openstack (neutron/designate)01:09
elvsp1nnow try testing the reverse dns for that ip01:10
elvsp1nby running the following command:01:10
elvsp1ndig -x 99.92.187.9301:10
elvsp1nnotice that it return the proper record01:11
elvsp1n;; ANSWER SECTION:01:11
elvsp1n93.187.92.99.in-addr.arpa. 86400 INCNAME93.0/25.187.92.99.in-addr.arpa.01:11
elvsp1n93.0/25.187.92.99.in-addr.arpa.3600 INPTRmail.development.us-east.os.neosllc.org.01:11
elvsp1nthats working as expected because I am currently using a server with just bind9 properly configured with the zone that att is returning when performing the query01:12
elvsp1nnow if you do the same test using my designate server01:15
elvsp1ndig -x 99.92.187.93 @designate.neosllc.org01:15
elvsp1nit answer as well with the following:01:15
elvsp1n93.187.92.99.in-addr.arpa. 3600INPTRmail.development.us-east.os.neosllc.org.01:16
elvsp1nnotice that it does not include the subnet information or 93.0/25.187.92.99.in-addr.arpa.01:16
elvsp1nso when I use it through the public dns, it does not reply with the PTR record as the zone created by neutron/designate is 187.92.99.in-addr.arpa. instead of 0/25.187.92.99.in-addr.arpa.01:17
elvsp1nlooking at the source code for designate, I see that there is a zone validation done before it gets created here https://opendev.org/openstack/designate/src/commit/002005a440e87198e05719d17c3d39a980a552e3/designate/api/v2/controllers/zones/__init__.py#L9601:20
elvsp1nI will dig through the code to have a better understanding of why it does not allow the use of / in zone names and/or why creating zones with - (ie 0-127.187.92.99.in-addr.arpa. ) does not respond to queries like 0/25.187.92.99.in-addr.arpa.01:21
johnsomI can help you tomorrow, I am on mobile tonight01:36
johnsomMy talk from the last summit might help you as well01:38
elvsp1nsounds good01:54
elvsp1nthis is the error that I am hitting: https://opendev.org/openstack/designate/src/commit/002005a440e87198e05719d17c3d39a980a552e3/designate/objects/adapters/base.py#L20202:07
elvsp1nopenstack zone create --email sample@email.com 0/25.187.92.99.in-addr.arpa.02:08
elvsp1nProvided object is not valid. Got a ValueError error with message Domain 0/25.187.92.99.in-addr.arpa. is invalid02:08
elvsp1nI can see that the field definition limit it to 255 here https://opendev.org/openstack/designate/src/commit/002005a440e87198e05719d17c3d39a980a552e3/designate/objects/zone.py#L3202:19
johnsomThat is the RFC requirement02:20
johnsomIt is required by the standards documents02:21
elvsp1nunderstand02:21
elvsp1nBut allowing us to create zone names with / is also part of the rfc standard as seen in the examples shared on rfc2317: https://tools.ietf.org/html/rfc231702:26
elvsp1nand I suspect that is also the reason why bind9 allow us to create zones with / as well02:26
elvsp1nfor some reason, in designate code, the zone.validate does not seems to be causing the exception that I am hitting as I don't see it checking for that here: https://opendev.org/openstack/designate/src/commit/002005a440e87198e05719d17c3d39a980a552e3/designate/objects/zone.py#L9502:28
johnsomActually, it is not recommended if you follow all of the RFCs in this space.02:34
johnsomelvsp1n https://youtu.be/zdhvNezU1w4?feature=shared&t=36402:34
johnsomI presented on this at the last summit02:34
elvsp1nlet me check it out02:35
johnsomTo quote the RFC you linked:02:35
johnsomhttps://www.irccloud.com/pastebin/WSOsPxxb/02:36
elvsp1ncorrect02:36
elvsp1nbut big ISP like att just know how to do things their way or no way02:36
elvsp1nI kindly asked them to delegate it as 0-127.187.92.99.in-addr.arpa. citing that precisely paragraph but they responded:02:37
elvsp1nHello   We configure our Delegations following RFC2317 I have provided the link for your reference as well as attached a PDF.  https://tools.ietf.org/html/rfc2317   Thanks Michael AT&T Prov-DNS Team02:37
elvsp1nHello   Unfortunately no,  this is the standard AT&T uses and not able to modify.   Thanks Michael AT&T Prov-DNS Team02:38
elvsp1nlet me check your video02:38
elvsp1nthats precisely what I am dealing with, but instead of being able to have a /24 subnet delegated to my dns, all what they can do is assign a /25 then configure a CNAME that limit my delegation to the subnet that I have assigned02:42
elvsp1nin your slide: What is the IPv4 IN-ADDR.ARPA challenge? You have: IN-ADDR.ARPA zones are delegated on octet boundaries, so the smallest reverse lookup zone you could delegate would be using 24-bit prefixes, or 254 host addresses... In my case, att is only able to delegate /25 or 128 ipv4 addresses to my account02:43
elvsp1nI am assuming that att is facing that challenge which is why they delegated it setting a CNAME in their DNS which reply with 0/25.187.92.99.in-addr.arpa. instead of just my ip as it would normally or 93.187.92.99.in-addr.arpa. which is how designate is currently working02:46
elvsp1nMr. Johnsom, even if its not recommended, the RFCs do not forbid it, which again, is why I am assuming, bind9 allow us to create zones with / instead of only limit us to use -.02:49
elvsp1nif the rfc2317 show examples with /. why forbid it on designate?02:51
elvsp1nwhat you are covering in your video is precisely the problem that I am facing but the solution proposed (using - instead of /) is why I started my inquiries about it (again, forced by att as they will not delegate it using -)02:54
elvsp1nIn your future development opportunity, you showed this: Neutron could be enhanced to create classless IN-ADDR.ARPA. zones when projects are allocated subnets from a routable subnet pool. The command that you showed is this:02:55
elvsp1nopenstackn subnet pool create --share --pool-prefix 203.0.113.0/24 --default-prefix-length 26 demo-subnetpool4 02:56
elvsp1nthen in the next bullet you wrote: A Neutron DNS extension could be created that creates shared PTR zones for floating IPs. This would allow the project to have direct management of their PTR records.02:57
elvsp1nit sounds like that extention is something that could be created in the future02:57
elvsp1nopenstack subnet pool create a bunch of subnets inside a bigger subnet 03:00
elvsp1nbut in my case, I have my /25 subnet defined, creating a pool of subnet with that particular command would require me to create subnets smaller than /25 (or /26, /27, /28, /29, /30), smaller than 30 would not allow customers to have an ip available for their vms as you need 1 for a router and the broadcast03:04
elvsp1nstill, that won't solve the problem of having my main subnet /25 returning a CNAME with 93.0/25.187.92.99.in-addr.arpa. if designate is not able to create a 0/25.187.92.99.in-addr.arpa.03:05
elvsp1nI might as well just get a /24 or bigger block from arin to get over att bs03:19
eanderssonCan you provide us with the exact cli commands and steps you use and I can look and see if it is designate preventing this or not.10:28
frickleriirc we said that we don't support "/" in a zone name since people can switch to "-" instead. but if $bigcorp refuses to do that in their zone delegation, it might be sensible to weaken that limitation10:55
fricklerthat still won't solve the issue of teaching neutron about it, though, but that's a neutron issue, not designate10:56
eanderssonWe would probably need to change the regex to something like this I assume for that to work12:32
eandersson> RE_ZONENAME = re.compile(r'^(?!.{255,})(?:(?!\-)[A-Za-z0-9_\-\/]{1,63}(?<!\-)\.)+\Z')  # noqa12:32
elvsp1nhi eandersson, try with this command:13:43
elvsp1nopenstack zone create --email sample@email.com 0/25.187.92.99.in-addr.arpa.13:43
elvsp1nfrickler I tried to manually create the zone directly in designate (service_domain, services project) as thats where by default, it create the PTR records13:45
elvsp1nideally, working with neutron to make sure that it knows how to handle subnets with sufix greater than 25 would be ideal as that will allow us to automatically assign floating ip and reverse dns (PTR records)13:46
elvsp1nbut I tried manually in designate and my inquiry started basically because bind9 allow it but designate don't13:47
elvsp1nhere is the error that I am getting: https://opendev.org/openstack/designate/src/commit/6067d6d1996edfc061d9fe9d5cc3e3a4e878b2a6/designate/objects/fields.py#L18413:55
fricklerelvsp1n: yes, this is intentional and has been discussed before, see https://bugs.launchpad.net/designate/+bug/188058313:57
elvsp1nthanks frickler for pointing that out, I just updated the ticket with my suggestion.14:16
elvsp1nAt the end of the day, designate should allow us to manage our DNS  servers through its api, if DNS servers allow us to create zones with / on its name, I think that designate should also allow us to define zones with / on its name.14:17
elvsp1nbut thats just the suggestion of a simple mortal :)14:18
fricklerelvsp1n: I'm not completely opposed to that, but designate supports multiple backends and it would also make sense to ensure that data in designate are compatible with all of them14:43
elvsp1nfrickler is there a designate backend (dns server) that don't support / on its zone name? ie. Dynect, Bind9, Infoblox, Nsd4, Fake, PowerDNS 414:48
elvsp1nLooking at Dynect's documentation in this page: https://help.dyn.com/finding-your-reverse-dns-zone-name/14:52
elvsp1nit seems like they are instructing users to replace the / for a - as follows:14:52
elvsp1nClassless Address Block Example:14:52
elvsp1n1. Take your network IP address.192.168.15.224/2714:52
elvsp1n2. Remove the netmask portion of the address, that’s the number after the slash (/) in the prior example.192.168.15.22414:52
elvsp1n3. Reverse the order of the remaining octets.224.15.168.19214:53
elvsp1n4. Add ‘in-addr.arpa’ to the end.224.15.168.192.in-addr.arpa14:53
elvsp1n5. Add the netmask back into the address.224-27.15.168.192.in-addr.arpa*14:53
elvsp1nThey are basically instructing users to create the zone with hyphen instead of /, the problem is that creating the zone in designate with hyphen does not respond to queries with /14:54
elvsp1nthats why, in my suggestion on the desginate bug/1880583 I also suggested that designate (or designate-bind) reply to queries with / using the zone defined with -14:55
frickleryes, that's different zones, so it certainly does not solve your use case. I also don't know most of these backends, I was just mentioning this as a possible counter argument14:55
elvsp1nlet me give you an example14:55
fricklerwell you certainly cannot respond to a different zone than the one that is configured14:56
elvsp1nthats correct15:00
elvsp1naccording to Dynect, I should create 0-25.187.92.99.in-addr.arpa.15:00
elvsp1nopenstack zone create --email support@neosmail.com 0-25.187.92.99.in-addr.arpa.15:01
elvsp1ntesting it, it seems to respond properly15:02
elvsp1ndig NS 0-25.187.92.99.in-addr.arpa. @designate.neosllc.org15:02
elvsp1n;; ANSWER SECTION:15:02
elvsp1n0-25.187.92.99.in-addr.arpa. 3600 INNSdesignate.neosllc.org.15:02
elvsp1nbut trying to get the information using the way att created the delegation15:03
elvsp1ndig NS 0/25.187.92.99.in-addr.arpa. @designate.neosllc.org15:03
elvsp1nit does not respond with the same record...15:03
elvsp1nnow reading this documenation from Dynect brings another question for me, apparently the designate documentation say that we can share specific number of ip in a zone with another project by defining (in the example that they described, they are allowing a project to manage 3 ip in a zone)15:08
elvsp1nhttps://docs.openstack.org/designate/latest/user/manage-ptr-records.html15:08
elvsp1nin the documentation, the zone is created with: openstack zone create --email me@example.com 2.0.192.in-addr.arpa.15:08
elvsp1nthen the delegated zone is created as follows: openstack zone create --email me@example.com 1-3.2.0.192.in-addr.arpa.15:08
elvsp1nthen the zone is shared with another project with the following: openstack zone share create 1-3.2.0.192.in-addr.arpa. 9284a20339184a9bb299386c380211c715:09
elvsp1nthen, they go ahead and start creating a CNAME for each of the ip delegated as follows: openstack recordset create --record 1.1-3.2.0.192.in-addr.arpa. --type CNAME 2.0.192.in-addr.arpa. 1.2.0.192.in-addr.arpa.15:10
elvsp1nnow the question is, if the hyphen replace the /, aren't we supposed to specify a subnet sufix after the hypen as described in Dynect's documentation? In designate's documentation this 1.1-3.2.0.192.in-addr.arpa. seems to be like specifying a range of ip (from 1 to 3) instead of specifying a subnet 1/315:11
elvsp1nI tested creating a zone assuming that the hyphen specify a range of ip that describe a subnet or: 0-127.187.92.99.in-addr.arpa.15:13
elvsp1nAnd I also tested creating a zone assuming that the hyphen was a direct replacement of the / or: 0-25.187.92.99.in-addr.arpa.15:13
elvsp1nstill, designate-bind does not respond to queries with / or: dig NS 0/25.187.92.99.in-addr.arpa. @designate.neosllc.org15:14
frickleryes, unless you get your provider to change the delegation, all of this is useless in your scenario15:21
elvsp1nthats correct...15:22
elvsp1natt is chargin about 40bucks/month for a /25 subnet, I will try to request a /24 subnet with arin for 250/yr to avoid dealign with this ISP16:09
johnsomJust to add some context, Azure also does not allow the invalid '/' 17:32
johnsom"When you're creating classless reverse DNS lookup zones in Azure DNS, you must use a hyphen (-) instead of a forward slash (/) in the zone name."17:32
« Thursday, 2024-01-18 Index Saturday, 2024-01-20 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!