-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add standard for DNS #570
base: main
Are you sure you want to change the base?
Add standard for DNS #570
Conversation
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Standards/scs-01xx-v1-dns.md
Outdated
|
||
- One or more local DNS recursors SHOULD be integrated into the infrastructure and the `dnsmasq_dns_server` setting SHOULD point to the local DNS recursor(s) only. | ||
- Any local DNS recursor referenced by the `dnsmasq_dns_server` setting MUST implement DNSSEC validation. | ||
- If the cloud infrastructure has any provider networks connected to the internet, then the `dnsmasq_dns_server` entries MUST contain DNS servers (recursors or resolvers) that can resolve public DNS records. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should discuss how to handle clouds where provider networks use different root zones.
An example scenario: An on-premise setup where one provider network is connected to the internet (and uses the public root zone) has a second provider network which is connected to the company intranet. That intranet is isolated from the internet and uses an alt-root for internal name resolution.
Here, it is not obvious how a value for dnsmasq_dns_server
should look like to allow resolution of names relevant to the respective network could work.
We need to discuss:
- Whether such setups are in scope, and
- if they are: how to address this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This still needs some discussion, has that happened in some meeting I wasn't part of or should we schedule something for that? @markus-hentsch @fkr
Standards/scs-01xx-v1-dns.md
Outdated
|
||
A local DNS recursor can be used to cache and serve DNS responses locally. It servers as a proxy between the clients and external DNS servers. | ||
This improves performance and speed of DNS resolution in the infrastructure. | ||
Furthermore, it can be configured to use DNSSEC, DNS over HTTPS and/or DNS over TLS to increase security and privacy of DNS requests it handles for clients. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't mention DNS-over-HTTPS, as it provides no significant benefits over DNS-over-TLS, but needlessly exposes an HTTP parser to the internet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The security aspect has merit but DNS over HTTPS has significant different advantages over DNS over TLS, especially with regards to privacy and simplicity of configuration (e.g. port 443 is almost always no problem to connect to, good luck with DNSoTLS with some network middleboxes.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which privacy advantages does DoH have that DoTLS does not have?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's usage is harder to detect than DoT, this is why every browser implements DoH instead of DoT. This might or might not be a concern for our usecase though (I think it is the latter, but I didn't really analyze this in detail).
Specifically DoT uses Port 853 which makes it very easy to detect and block.
:edit: see e.g. https://dnsprivacy.org/the_solutions/#dns-over-tls-dot for some external references.
The web is full with content around this controversy, e.g. there where some panels regarding this at some FOSDEM dns dev rooms in the past with quite some good arguments for both "sides", see e.g. this blog post which has more links:
https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, none of that matters for a recursor running locally in a datacenter. I'd argue even DoTLS is overkill for that, but that's not a hill I'm willing to die on.
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Based on the latest findings of SovereignCloudStack/issues#229 I made the following changes/additions:
|
Signed-off-by: Markus Hentsch <[email protected]>
I implemented a test script that verifies the existence of the API extensions as mandated by the current standard draft. However, due to https://bugs.launchpad.net/neutron/+bug/2063669 the test will succeed in any OVN-based setup since the DNS extensions are always reported as being available even if none of them actually are. Upstream needs to fix this for the test script to actually report accurate results ... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, beside missing two explanations for "OVM" and "OVS".
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Thanks for pointing that out! This is quite important. I've added them to the glossary. |
Co-authored-by: Felix Kronlage-Dammers <[email protected]> Signed-off-by: Markus Hentsch <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to review this in more detail later.
I'm only somewhat competent in the DNS RFCs as I happened to run, architect and maintain some dns infrastructure in the past.
DNS is a very complicated topic and I need some more time to read the standard very carefully, thanks.
Standards/scs-01xx-v1-dns.md
Outdated
|
||
A local DNS recursor can be used to cache and serve DNS responses locally. It servers as a proxy between the clients and external DNS servers. | ||
This improves performance and speed of DNS resolution in the infrastructure. | ||
Furthermore, it can be configured to use DNSSEC, DNS over HTTPS and/or DNS over TLS to increase security and privacy of DNS requests it handles for clients. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The security aspect has merit but DNS over HTTPS has significant different advantages over DNS over TLS, especially with regards to privacy and simplicity of configuration (e.g. port 443 is almost always no problem to connect to, good luck with DNSoTLS with some network middleboxes.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
imho the standard should mandate RFC compliant DNS Servers that should be made available to the customer, given the fact there are a lot of non compliant dns servers out there.
Good idea. Do you have a list of RFCs a good recursor should adhere to? I'm not sure if we need to list the RFCs of all RRs which we expect to be supported or whether that's something any base-RFC-compliant recursor MUST handle correctly anyway (even though history has shown they don't always). |
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
(this comment was misplaced and moved to the corresponding issue here) |
…oning Signed-off-by: Markus Hentsch <[email protected]>
... as a result of the recent Lean Operator Coffee discussion Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
I demoted some of the guidelines in this standard from MUST to SHOULD as a result of the recent CSP discussion (see here). As a result, the API tests I implemented for the conformance tests are not applicable anymore and I removed them. They wouldn't have worked properly with Neutron's current implementation anyway. |
No description provided.