|Approver(s)||@stgraber @tomp @sdeziel|
Implement a DNS server built into LXD which will offer AXFR (zone transfer) of auto-generated DNS zones including forward and reverse records for all instances running in LXD.
When operating a LXD cluster that runs multiple projects and a variety of instances across a large set of networks, having valid forward and reverse records for all your instances can be quite important. It’s something that public clouds always provided (albeit with limited customization) and that can be quite important not only for ease of access to the instance but also to avoid hosted services getting flagged as potential spam due to lacking reverse DNS records.
The intent here is to have every address that LXD itself manages and which isn’t hidden behind an internal NAT to have valid forward and reverse DNS records.
LXD will then serve those zones for zone transfer to the operator’s production DNS servers.
A new config key
core.dns_address will be introduced to instruct LXD to listen for DNS traffic. This will enable a built-in authoritative DNS server in the LXD daemon which will listen on both UDP and TCP ports.
This DNS server will be authoritative only and will be intended to mostly serve zone transfer requests to an external DNS infrastructure.
LXD will be tracking DNS zones on a per project basis (part of the network feature) but DNS zones will have to be globally unique.
Networks can then be tied to DNS zones for both forward and reverse records. Doing so will populate the selected zones with records for each instance. This will only happen for instance addresses which aren’t behind NAT. It will also be restricted to addresses which are known by LXD directly through its database records (the instances can’t be trusted to provide this information).
Automatic records are expected for:
- Gateway for IPv4 or IPv6 subnets on a LXD managed network when they’re not using NAT
- Forward and reverse records for IPv4 and IPv6 addresses of instances when not from a NAT-ed subnet and when the address can be determined from a static record (ipv4.address/ipv6.address) or be derived from the MAC address of the instance (EUI64)
core.dns_addressin local server configuration
dns.zonein network configuration
lxc network zone list
lxc network zone create
lxc network zone delete
lxc network zone show
lxc network zone record list
lxc network zone record create
lxc network zone record delete
network_zonestable to track the zones
network_zones_configtable to track additional configuration
This is an optional additional feature, no behavior changes will occur on upgrade.
- Security on AXFR
- Zone defaults (SOA, TTL, SERIAL)