designate bind

  • By afreiberger
  • Latest version (#0)
  • trusty, xenial, bionic, cosmic
  • Stable

Description

The Berkeley Internet Name Domain (BIND) implements an Internet domain
name server. BIND is the most widely-used name server software on the
Internet, and is supported by the Internet Software Consortium, www.isc.org.
.
This charm provides BIND9 as a backend for integration with OpenStack
Designate, providing DNSaaS in an OpenStack cloud.


Overview

This charm provides a bind server to store DNS records generated by designate.

Usage

designate-bind relies on designate charm.

juju deploy designate-bind
juju deploy designate
juju add-relation designate designate-bind

Recursion and forwarders

By default, this charm only resolves names in zones managed by
Designate. You can optionally enable recursion or forwarders to resolve
names outside of Designate, such as google.com or archive.ubuntu.com.

Recursion and forwarders should be enabled with extra care. You should
also enable ACLs with allowed_nets and/or allowed_recursion_nets.
Otherwise, the DNS server may be open for anyone which could be used for
some attacks as an open resolver.

For example, when you want to allow DNS clients in local networks only,
and use 8.8.8.8 and 8.8.4.4 as upstream DNS servers, You can set charm
options like:

juju config designate-bind allowed_nets='10.0.0.0/8;172.16.0.0/12;192.168.0.0/16'
juju config designate-bind forwarders='8.8.8.8;8.8.4.4'

Or if you want to use BIND9 set up by the charm as a full-service resolver, set the following options for example:

juju config designate-bind allowed_nets='10.0.0.0/8;172.16.0.0/12;192.168.0.0/16'
juju config designate-bind recursion=true

Network Space support

This charm supports the use of Juju Network Spaces, allowing the charm
to be bound to network space configurations managed directly by Juju.
This is only supported with Juju 2.0 and above.

A network space to be used for communication with Designate can be
specified by "dns-backend" binding.

Extra binding can be specified with "dns-frontend" binding for an
additional network space to bind DNS server for clients outside of the
Juju model.

To use this feature, use the --bind option when deploying the charm:

juju deploy designate-bind --bind "default-space dns-frontend=public-space dns-backend=internal-space"

alternatively these can also be provided as part of a juju native
bundle configuration:

designate-bind:
  charm: cs:designate-bind
  num_units: 1
  bindings:
    '': default-space
    dns-frontend: public-space
    dns-backend: internal-space

NOTE: Spaces must be configured in the underlying provider prior to
attempting to use them.

Bugs

Please report bugs on Launchpad.

For general questions please refer to the OpenStack Charm Guide.

Configuration

verbose
(boolean) Enable verbose logging
use-internal-endpoints
(boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
recursion
(boolean) Whether or not to enable recursive queries with BIND9 itself to be installed by the charm. The option is equivalent to "recursion" in BIND9. When using this option, ACLs should be used with allowed_nets and/or allowed_recursion_nets to prevent it from being a open resolver.
allowed_recursion_nets
(string) String containing a list of allowed networks of hosts for recursive queries through the designate-bind servers, spearated by semicolons: e.g., "10.0.0.0/8;172.16.0.0/12;192.168.0.0/16". The option is equivalent to "allow-recursion" in BIND9. If allowed_recursion_nets is not set then allowed_nets is used if set, otherwise any will be set to allow recursive queries from all hosts.
allowed_nets
(string) String containing a list of allowed networks of hosts for DNS queries, separated by semicolons: e.g., "10.0.0.0/8;172.16.0.0/12;192.168.0.0/16". The option is equivalent to "allow-query" in BIND9. If not specified, the default is to allow queries from all hosts.
disable-dnssec-validation
(boolean) Whether or not to disable DNSSEC validation. This may be helpful in a situation that upstream DNS servers do not support DNSSEC, and BIND9 reports "Unable to fetch DNSKEY". For production deployments, it's encouraged to keep DNSSEC enabled.
forwarders
(string) String containing a list of forwarders, separated by semicolons: e.g., "8.8.8.8;8.8.4.4". As non-empty forwarders option implies recursion, recursive queries will be enabled regardless of the value set in the recursion option. When using this option, ACLs should be used with allowed_nets and/or allowed_recursion_nets to prevent it from being a open resolver.
debug
(boolean) Enable debug logging
use-syslog
(boolean) Setting this to True will allow supporting services to log to syslog.