This repository has been archived by the owner on Aug 30, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 24
dns 3.4 spec
chris grzegorczyk edited this page Oct 29, 2013
·
19 revisions
NOTE: through out this document the following naming assumptions are used:
- DNSDOMAIN.COM is the public subdomain which is delegated to Eucalyptus
- ${system.dns.dnsdomain} refers to the system property of the same name
- ${cloud.vmstate.} refers to the system property of the same name
- INSTANCESUBDOMAIN is the subdomain used for instance DNS
- 10.111.1.2 is the example Eucalyptus CLC host
- For evaluation dig is primarily used as it does not have any behaviour -- it only implements the DNS protocol
- The following can be assumed as the dig command used throughout
- 10.111.1.2 is the DNS server, when ommitted dig will resort to resolv.conf and use only the first server
- A is the query type
- DNSDOMAIN.COM is our query domain
- The rest of the command cleans output
function check() {
> dig @10.111.1.2 $1 $2 +retries=0 +timeout=1 | awk '/^$/{getline} $2 == "flags:" {print} /^;[^ ;].*A$/ {print} /^[^;][^ ;]/'
> }- The output includes:
- The flags set on the response
- The question sent
- The answers recieved (all sections; answer, additional, and authority)
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;eucalyptus.DNSDOMAIN.COM. IN A
eucalyptus.DNSDOMAIN.COM. 60 IN A 10.111.1.2- Ping has behaviours which are important to verify work
- Sends multiple variants of the initial A lookup query (domain searching)
- Sends PTR requests in order to print the pretty header line
- Host best reflects the default behaviour of
gethostbyname()
- Set all the experimental DNS resolvers to be enabled='true'
clc 17599 > euca-describe-properties experimental.dns
PROPERTY experimental.dns.enabled true
PROPERTY experimental.dns.instancedata.enabled true
PROPERTY experimental.dns.ns.enabled true
PROPERTY experimental.dns.recursive.enabled true
PROPERTY experimental.dns.services.enabled true
PROPERTY experimental.dns.split_horizon.enabled true- Set the nameserveraddress given out to instances to be the same as the CLC
- THIS IS NOT RIGHT! The 'nameserveraddress' needs to be dynamic for HA!
euca-modify-property -p system.dns.nameserveraddress=10.111.1.2
PROPERTY system.dns.nameserveraddress 10.111.1.2 was 127.0.0.1- Set the public facing domain name -- the cloud internal domain is always 'internal'
clc 17595 > euca-modify-property -p system.dns.dnsdomain=DNSDOMAIN.COM
PROPERTY system.dns.dnsdomain DNSDOMAIN.COM was localhost- Set the sub-domain name used for instances
clc 17597 > euca-modify-property -p cloud.vmstate.instance_subdomain=.INSTANCESUBDOMAIN
PROPERTY cloud.vmstate.instance_subdomain .INSTANCESUBDOMAIN was .eucalyptus clc 17610 > euca-modify-property -p bootstrap.webservices.use_dns_delegation=true
PROPERTY bootstrap.webservices.use_dns_delegation true was false
clc 17610 > euca-modify-property -p bootstrap.webservices.use_instance_dns=true
PROPERTY bootstrap.webservices.use_instance_dns true was false| Responds To | Description | ||
| Service/Component Resolver |
${component.name()}.${system.dns.dnsdomain}
|
Resolves the address of the currently ENABLED service indicated by the first label in the request. | |
|---|---|---|---|
| Recursive Resolver |
not *.${system.dns.dnsdomain}
|
Handles resolution of address which are not in domains managed by Eucalyptus. | |
| Split Horizon Resolver |
euca-(.+{3})-(.+{3})-(.+{3})-(.+{3}).${cloud.vmstate.instance_subdomain}.${system.dns.dnsdomain}
|
euca-(.+{3})-(.+{3})-(.+{3})-(.+{3}).${cloud.vmstate.instance_subdomain}.internal
|
Resolves instance addresses based on the requestor's source address; internal source addresses always get internal ip address responses. |
| instance-data Resolver |
instance-data
instance-data.internal
instance-data.${cloud.vmstate.instance_subdomain}.internal
|
hi |
- A records for components & services
- Components:
- All have a short-name (column 2 of euca-describe-services)
- May have a partition which deteremines their subdomain (column 3 of euca-describe-services)
- May be strictly internal (e.g., reporting) and have no DNS name associated as a result
- Component name lookups are:
- Global services:
${componentId.name()}.DNSDOMAIN.COM - Partitioned services:
${componentId.name()}.${partition}.DNSDOMAIN.COM
- Global services:
- This resolver is authoritative
- Examples of its behaviour can be seen using the following command:
euca-describe-services --all |
awk '$3 == "PARTI00" {print $2"."$3".DNSDOMAIN.COM"} $3 != "PARTI00" {print $2".DNSDOMAIN.COM"}' |
sort | uniq |
xargs -i dig @10.111.1.2 A {} +retries=0 +timeout=1 |
awk '/^$/{getline} $2 == "flags:" {print} /^;[^ ;].*A$/ {print}';; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;autoscaling.DNSDOMAIN.COM. IN A
autoscaling.DNSDOMAIN.COM. 60 IN A 10.111.1.2;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;walrus.DNSDOMAIN.COM. IN A
walrus.DNSDOMAIN.COM. 60 IN A 10.111.1.2;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;cluster.PARTI00.DNSDOMAIN.COM. IN A
cluster.PARTI00.DNSDOMAIN.COM. 60 IN A 10.111.1.2;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;storage.PARTI00.DNSDOMAIN.COM. IN A
storage.PARTI00.DNSDOMAIN.COM. 60 IN A 10.111.1.2;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;node.PARTI00.DNSDOMAIN.COM. IN A
node.PARTI00.DNSDOMAIN.COM. 60 IN A 10.111.1.66
node.PARTI00.DNSDOMAIN.COM. 60 IN A 10.111.1.16;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;reporting.DNSDOMAIN.COM. IN A
DNSDOMAIN.COM. 604800 IN SOA root.DNSDOMAIN.COM. b-02.qa1.eucalyptus-systems.com.DNSDOMAIN.COM. 1 86400 604800 2419200 600- Resolves names outside of the eucalyptus controlled domain names
- Never resolves names which are in a system controlled subdomain
- Never reverse-resolves addresses which are controlled by the system
- Example of lookups against facebook.com
root@euca-1-109-165-29:~# dig any facebook.com
; <<>> DiG 9.8.1-P1 <<>> any facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60419
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;facebook.com. IN ANY
;; ANSWER SECTION:
facebook.com. 70109 IN NS a.ns.facebook.com.
facebook.com. 70109 IN NS b.ns.facebook.com.
facebook.com. 766 IN AAAA 2a03:2880:2110:df07:face:b00c:0:1
facebook.com. 149 IN MX 10 msgin.t.facebook.com.
facebook.com. 365 IN A 173.252.110.27
facebook.com. 86266 IN TXT "v=spf1 redirect=_spf.facebook.com"
;; ADDITIONAL SECTION:
a.ns.facebook.com. 172265 IN A 69.171.239.12
b.ns.facebook.com. 172265 IN A 69.171.255.12
;; Query time: 76 msec
;; SERVER: 10.111.1.2#53(10.111.1.2)
;; WHEN: Fri Aug 2 04:59:54 2013
;; MSG SIZE rcvd: 211root@euca-1-109-165-29:~# for f in A AAAA TXT MX NS SOA ; do dig +nocmd $f facebook.com +noall +stats +answer ; done
facebook.com. 473 IN A 173.252.110.27
;; Query time: 64 msec
;; SERVER: 10.111.1.2#53(10.111.1.2)
;; WHEN: Fri Aug 2 04:58:05 2013
;; MSG SIZE rcvd: 113
facebook.com. 874 IN AAAA 2a03:2880:2110:df07:face:b00c:0:1
;; Query time: 61 msec
;; SERVER: 10.111.1.2#53(10.111.1.2)
;; WHEN: Fri Aug 2 04:58:05 2013
;; MSG SIZE rcvd: 125
facebook.com. 86374 IN TXT "v=spf1 redirect=_spf.facebook.com"
;; Query time: 52 msec
;; SERVER: 10.111.1.2#53(10.111.1.2)
;; WHEN: Fri Aug 2 04:58:05 2013
;; MSG SIZE rcvd: 143
facebook.com. 257 IN MX 10 msgin.t.facebook.com.
;; Query time: 65 msec
;; SERVER: 10.111.1.2#53(10.111.1.2)
;; WHEN: Fri Aug 2 04:58:05 2013
;; MSG SIZE rcvd: 121
facebook.com. 70217 IN NS a.ns.facebook.com.
facebook.com. 70217 IN NS b.ns.facebook.com.
;; Query time: 47 msec
;; SERVER: 10.111.1.2#53(10.111.1.2)
;; WHEN: Fri Aug 2 04:58:05 2013
;; MSG SIZE rcvd: 97
facebook.com. 78 IN SOA a.ns.facebook.com. dns.facebook.com. 2013080100 7200 1800 604800 120
;; Query time: 51 msec
;; SERVER: 10.111.1.2#53(10.111.1.2)
;; WHEN: Fri Aug 2 04:58:05 2013
;; MSG SIZE rcvd: 137- Responds to:
- A record queries for 'instance-data' and possible subdomain variants, always returning 169.254.169.254
- PTR querires for 169.254.169.254 returning instance-data
;; QUESTION SECTION:
;instance-data. IN A
;; ANSWER SECTION:
instance-data. 60 IN A 169.254.169.254;; QUESTION SECTION:
;instance-data.internal. IN A
;; ANSWER SECTION:
instance-data. 60 IN A 169.254.169.254;; QUESTION SECTION:
;instance-data.eucalyptus.internal. IN A
;; ANSWER SECTION:
instance-data. 60 IN A 169.254.169.254root@euca-1-106-32-141:~# dig A instance-data
169.254.169.254
Using domain server:
Name: 10.111.1.66
Address: 10.111.1.66#53
Aliases:
instance-data has address 169.254.169.254;; QUESTION SECTION:
;254.169.254.169.in-addr.arpa. IN PTR
;; ANSWER SECTION:
254.169.254.169.in-addr.arpa. 60 IN PTR instance-data.tag:rls-3.4