DNS extensions reported as available even if not enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Low
|
Unassigned |
Bug Description
# Summary
The Neutron Extensions API [^1] returns all possible DNS extensions even if the configured DNS extension driver for the ML2 plugin does not offer all of them or even if no DNS extension driver is enabled at all.
This is misleading to the user because it communicates features that aren't actually available depending on the backend configuration.
This is in contrast to other Neutron extensions (e.g. "uplink-
[^1]: https:/
# Description
In the context of DNS functionality, Neutron has a hierarchy of extensions that supersede one another [^2]:
- dns-integration
- dns-domain-ports (includes dns-integration)
- subnet-
- dns-integration
The "dns-integration" extension offers the least functionality and "dns-integratio
The `extension_drivers` setting of the ML2 plugin determines which extension will be active.
Thus, the actual DNS functionality range offered by Neutron depends on the selected extension driver.
The user documentation of Designate [^3] instructs users to query the Neutron Extensions API to determine the available functionality.
For the different use cases involving publishing fixed IP DNS records within user-created networks [^4], the documentation states: "Check that the subnet-
This suggests that the user should check for the "subnet-
However, the Neutron Extensions API currently returns all DNS extensions regardless of which DNS extension driver is actually active. Even if none of them is active, all DNS extensions are still returned.
Depending on the individual configuration, this might communicate the availability of features to the user which aren't actually available.
In the case of the Designate documentation, this is especially misleading because it seems to assume that the extensions listed by Neutron API match the available functionality.
[^2]: https:/
[^3]: https:/
# How to reproduce
The following steps have been executed on a DevStack with Neutron @135cfa321549f0
Consider the following example entry in `/etc/neutron/
```
[ml2]
extension_drivers = port_security,
```
Note: the behavior illustrated below stays the same even if `dns_domain_ports` is removed completely and no DNS extension driver is specified at all!
Either the OpenStack client can be used or API requests directly to list extensions:
```
# authenticate as user
$ source openrc demo demo
# check API extensions using client
$ openstack extension list --network -f value -c Alias | grep dns
dns-integration
dns-domain-ports
dns-integration
subnet-
# check API extensions via direct HTTP request
$ TOKEN=$(openstack token issue -f value -c id)
$ curl -s -H "X-Auth-Token: $TOKEN" http://
"alias": "dns-integration",
"alias": "dns-domain-ports",
"alias": "dns-integratio
"alias": "subnet-
```
But the "subnet-
```
$ openstack network create test-network
$ openstack subnet create --network test-network \
--subnet-range 192.168.0.1/24 --dns-publish-
$ openstack subnet show -f value -c dns_publish_
None
```
In this case the `dns_publish_
This can also be verified by peeking into Neutron's database and observing that the "subnet_
Once the `dns_publish_
# Counterexample (expected behavior)
The ML2 plugin shows a different behavior for the "uplink-
The API will only list this extension if its extension driver actually enabled.
Documented below is the behavior of the "uplink-
Based on the following setting:
```
[ml2]
extension_drivers = port_security,qos
```
The extension "uplink-
```
$ openstack extension list --network -f value -c Alias | grep uplink
```
Now, after adding the `uplink_
```
[ml2]
extension_drivers = port_security,
```
... and restarting Neutron, the extension will now be listed by the Extensions API:
```
$ openstack extension list --network -f value -c Alias | grep uplink
uplink-
```
tags: | added: dns |
I think this may somehow leak due to the fact that it is mentioned in the https:/ /github. com/openstack/ neutron/ blob/22a3384194 e14ed2e7a2f3888 cf5f107d0ecdb42 /neutron/ common/ ovn/extensions. py as extension supported by the ovn driver. But that will need to be checked.