MAAS

non-maas managed subnets cannot query maas DNS

Bug #1348364 reported by David Britton on 2014-07-24

26

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	Wishlist	Julian Edwards	MAAS 1.7.0

Bug Description

In the landscape cloud installer if a customer adds a network that is not directly managed by MAAS for their instance floating IP range in their cloud -- let's call it a DMZ -- maas rejects DNS queries originating from that network. There is no config option to check/fix in maas itself that I know of. Instead, a transient config file needs to be altered (perhaps a more permanent way of doing this exists, I didn't dig) to add the following:

allow-recursion { any; };

Seems like step 1 could be to add a checkbox that turns "any" recursion on. And step 2 could be to add an API which offers more specific control of that setting (which landscape could drive).

If you need to split apart into two bugs, let me know, but this is blocker for our current landscape release (at least getting step 1 in)

Tags:

Related branches

lp:~julian-edwards/maas/acl-for-dns

Merged into lp:~maas-committers/maas/trunk at revision 2843

Jeroen T. Vermeulen (community): Approve on 2014-08-29

lp:~julian-edwards/maas/acl-for-dns-trigger-rewrite

Merged into lp:~maas-committers/maas/trunk at revision 2852

Jeroen T. Vermeulen (community): Approve on 2014-09-01

Revision history for this message

James Troup (elmo) wrote on 2014-07-24:

#1

Please don't add a checkbox to turn any box using MAAS DNS into an open resolver (which is what your 'any' suggestion does). Certainly not without big blinking warnings that this is a bad idea for any machine that's visible to the internet and even then I think it's a really bad idea.

Revision history for this message

David Britton (dpb) wrote on 2014-07-24: Re: [Bug 1348364] Re: non-maas managed subnets cannot query maas DNS

#2

On Thu, Jul 24, 2014 at 10:47:10PM -0000, James Troup wrote:
> Please don't add a checkbox to turn any box using MAAS DNS into an open
> resolver (which is what your 'any' suggestion does). Certainly not
> without big blinking warnings that this is a bad idea for any machine
> that's visible to the internet and even then I think it's a really bad
> idea.

Thanks James -- I think we would need a way to add the floating IP
subnet directly then.

--
David Britton <email address hidden>

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-07-25:

#3

I'm not even sure if this is possible, but can you set up a separate bind server that forwards queries to the MAAS one?

Changed in maas:
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2014-07-25:

#4

Sure, but that wouldn't be a bug fix.

How about a form where you could add optional networks for an allow-query {}; block in bind's config? Or maybe automatically do that for networks that were defined in MAAS?

Revision history for this message

Raphaël Badin (rvb) wrote on 2014-07-25:

#5

Maybe we could add a template in /etc/maas from which the BIND config would be generated and that you could modify to suit your needs. This would have the advantage of letting a user configure BIND exactly the way he wants it without making this too obvious by adding a button in the UI.

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-07-25:

#6

On Friday 25 Jul 2014 12:14:41 you wrote:
> Sure, but that wouldn't be a bug fix.
>
> How about a form where you could add optional networks for an allow-
> query {}; block in bind's config? Or maybe automatically do that for
> networks that were defined in MAAS?

My initial thought was also to do it automatically for networks defined in
MAAS. I think this is the nicest solution.

Revision history for this message

David Britton (dpb) wrote on 2014-07-25:

#7

On Fri, Jul 25, 2014 at 01:22:51PM -0000, Julian Edwards wrote:
>
> My initial thought was also to do it automatically for networks defined in
> MAAS. I think this is the nicest solution.

Yes, this would have been an undestandable requirement and fits in
nicely with the UI that is already there. We actually tried this option
hoping it would work, but quickly found out, it did not yet. :)

--
David Britton <email address hidden>

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-08-28:

#8

Ok what we'll do is add all the networks MAAS knows about into the trusted ACL set, and throw this config into named.conf.options:

acl "trusted" {
     N.N.N.N/bits
     ...
     localhost;
     localnets;
};

allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };

Revision history for this message

Dean Henrichsmeyer (dean) wrote on 2014-08-28:

#9

Sounds good, thanks.

Julian Edwards (julian-edwards) on 2014-08-29

Changed in maas:
assignee:	nobody → Julian Edwards (julian-edwards)
status:	Triaged → In Progress

MAAS Lander (maas-lander) on 2014-09-01

Changed in maas:
status:	In Progress → Fix Committed

Julian Edwards (julian-edwards) on 2014-10-13

Changed in maas:
milestone:	none → 1.7.0

Julian Edwards (julian-edwards) on 2014-11-19

Changed in maas:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1358333

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.