OpenStack Designate toolkit for IBM NS1 Connect®
OpenStack is a cloud platform that provides APIs to orchestrate bare metal, virtual machine (VM), and container resources on a single network. As widely used open-source software for building public and private clouds, OpenStack enables control of large pools of computing, storage, and networking resources, managed and provisioned through APIs with common authentication mechanisms.
Designate is a project within OpenStack’s ecosystem of services for running clouds. It allows users and operators to manage DNS records, names, and zones via a REST API, and it can configure existing DNS nameservers to contain those records.
The OpenStack Designate integration allows you to manage your IBM® NS1 Connect® DNS resources via OpenStack Designate. The integration supports the default set of DNS records and commands enabled by Designate. Using Designate, you can utilize a common API to manage DNS on multiple DNS providers.
Before you begin
-
You must have an IBM NS1 Connect® account with a valid API key.
Procedure
For the implementation process, you need to update OpenStack’s DNS server pools via the Designate Manage CLI. A YAML file defines the pool. Installing Designate
creates a pools.yaml
file (Default: etc/designate/pools.yaml
) and
sets the designate-mdns IP automatically.
Follow the instructions below to configure the integration.
- Edit the
pools.yaml
file to configure the integration with NS1. OpenStack’s site contains the following example of the IBM NS1 Connect® configuration using thepools.yaml
file:targets: - type: ns1 description: NS1 DNS Server # List out the designate-mdns servers from which NS1 servers should # request zone transfers (AXFRs) from. masters: - host: 192.0.2.1 port: 5354 # NS1 Configuration options options: #NS1 XFR container ip and port host: 192.0.2.2 port: 5302 #NS1 API enpoint IP address or name (Core container). Enter only base address or name. #Plugin will generate full api address, e.g. https://192.0.2.2/v1/zones/<zone name> api_endpoint: 192.0.2.2 #NS1 API key api_token: changeme # If a tsigkey is needed, uncomment the line below and insert the key name, algorithm and value # NOTE: TSIG key has to be set manually #tsigkey_name: testkey #tsigkey_hash: hmac-sha512 #tsigkey_value: 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg==
YAML section Attribute Description masters
host/port
List out the designate-mdns servers from which NS1 servers should request zone transfers (AXFRs)
options
host
192.135.223.10
port
53 (default)
API endpoint
api.nsone.net
API_token
A valid NS1 API key with permissions, including creating a secondary zone.
TSIG options
If TSIG is required, the parameters below are also required. See below for instructions on generating the TSIG key.
tsigkey_name
Name of the TSIG key
tsigkey_hash
Hash algorithm used when generating the TSIG key
tsigkey_value
Value of the TSIG key secret
- Update the pools in
Designate.
$ designate-manage pool update
Refer to the OpenStack Designate documentation for more information on the
designate-manage
pool command. For details on the YAML file syntax, refer to here.
In some situations, a deployer may need to use TSIG keys to sign AXFR (zone transfer) requests. If TSIG is required, it must be configured for each zone individually since NS1 does not support a per-host key setup.
The following example uses the OpenStack CLI. When using the OpenStack command-line client, follow these steps to configure a TSIG key:
- Generate a TSIG key using any of the available utilities (e.g.,
tsig-keygen
):$ tsig-keygen -a hmac-sha512 testkey key "testkey" { algorithm hmac-sha512; secret "vQbMI3u5QGUyRu6FWRm16eL0F0dfOOmVJjWKCTg4mIMNnba0g2PLrV+0G92WcTfJrgqZ20a4hv3RWDICKCcJhw=="; };
- Make a POST API call to
/v2/tsigkeys
, as referenced in the OpenStack API documentation. The resource_id will be the pool_id you configured for NS1 as part of your OpenStack installation.openstack tsigkey create --name testkey --algorithm hmac-sha512 --secret 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg== --scope POOL --resource-id 794ccc2c-d751-44fe-b57f-8894c9f5c842 };
- Add the TSIG-related config lines to the
pools.yaml
file as described above.