non-maas managed subnets cannot query maas DNS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
Wishlist
|
Julian Edwards |
Bug Description
In the landscape cloud installer if a customer adds a network that is not directly managed by MAAS for their instance floating IP range in their cloud -- let's call it a DMZ -- maas rejects DNS queries originating from that network. There is no config option to check/fix in maas itself that I know of. Instead, a transient config file needs to be altered (perhaps a more permanent way of doing this exists, I didn't dig) to add the following:
allow-recursion { any; };
Seems like step 1 could be to add a checkbox that turns "any" recursion on. And step 2 could be to add an API which offers more specific control of that setting (which landscape could drive).
If you need to split apart into two bugs, let me know, but this is blocker for our current landscape release (at least getting step 1 in)
Related branches
- Jeroen T. Vermeulen (community): Approve
-
Diff: 196 lines (+89/-5)5 files modifiedetc/maas/templates/dns/named.conf.options.inside.maas.template (+4/-0)
etc/maas/templates/dns/named.conf.template (+8/-0)
src/maasserver/dns/config.py (+19/-2)
src/maasserver/dns/tests/test_config.py (+56/-3)
src/provisioningserver/dns/config.py (+2/-0)
- Jeroen T. Vermeulen (community): Approve
-
Diff: 78 lines (+39/-0)2 files modifiedsrc/maasserver/dns/connect.py (+14/-0)
src/maasserver/tests/test_forms_network.py (+25/-0)
Changed in maas: | |
assignee: | nobody → Julian Edwards (julian-edwards) |
status: | Triaged → In Progress |
Changed in maas: | |
status: | In Progress → Fix Committed |
Changed in maas: | |
milestone: | none → 1.7.0 |
Changed in maas: | |
status: | Fix Committed → Fix Released |
Please don't add a checkbox to turn any box using MAAS DNS into an open resolver (which is what your 'any' suggestion does). Certainly not without big blinking warnings that this is a bad idea for any machine that's visible to the internet and even then I think it's a really bad idea.