NS1 status

Articles in this section

OpenStack Designate toolkit for IBM NS1 Connect

  • Updated
Follow

OpenStack is a cloud platform that provides APIs to orchestrate bare metal, virtual machine (VM), and container resources on a single network. As widely used open-source software for building public and private clouds, OpenStack enables control of large pools of computing, storage, and networking resources, managed and provisioned through APIs with common authentication mechanisms.

Designate is a project within OpenStack’s ecosystem of services for running clouds. It allows users and operators to manage DNS records, names, and zones via a REST API, and it can configure existing DNS nameservers to contain those records.

The OpenStack Designate integration allows you to manage your NS1 Connect DNS resources via OpenStack Designate. The integration supports the default set of DNS records and commands enabled by Designate. Using Designate, you can utilize a common API to manage DNS on multiple DNS providers.

Before you begin

  • You must have an IBM NS1 Connect account with a valid API key.

  • You must have installed OpenStack and Designate.

Note

The OpenStack Designate integration works only with NS1 Connect as a secondary DNS provider.

Instructions

For the implementation process, you need to update OpenStack’s DNS server pools via the Designate Manage CLI. A YAML file defines the pool. Installing Designate creates a pools.yaml file (Default: etc/designate/pools.yaml) and sets the designate-mdns IP automatically.

Step 1 - Configure the integration with NS1 Connect

Follow the instructions below to configure the integration.

  1. Edit the pools.yaml file to configure the integration with NS1. OpenStack’s site contains the following example of the NS1 Connect configuration using the pools.yaml file:

    targets:
    - type: ns1
      description: NS1 DNS Server

      # List out the designate-mdns servers from which NS1 servers should
      # request zone transfers (AXFRs) from.
      masters:
        - host: 192.0.2.1
          port: 5354

      # NS1 Configuration options
      options:
        #NS1 XFR container ip and port
        host: 192.0.2.2
        port: 5302
        #NS1 API enpoint IP address or name (Core container). Enter only base address or name.
        #Plugin will generate full api address, e.g. https://192.0.2.2/v1/zones/<zone name>
        api_endpoint: 192.0.2.2
        #NS1 API key
        api_token: changeme
        # If a tsigkey is needed, uncomment the line below and insert the key name, algorithm and value
        # NOTE: TSIG key has to be set manually
        #tsigkey_name: testkey
        #tsigkey_hash: hmac-sha512
        #tsigkey_value: 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg==

    masters

    host/port

    List out the designate-mdns servers from which NS1 servers should request zone transfers (AXFRs)

    options

    host

    192.135.223.10

    port

    53 (default)

    API endpoint

    api.nsone.net

    API_token

    A valid NS1 API key with permissions, including creating a secondary zone.

    TSIG options

    If TSIG is required, the parameters below are also required. See below for instructions on generating the TSIG key.

    tsigkey_name

    Name of the TSIG key

    tsigkey_hash

    Hash algorithm used when generating the TSIG key

    tsigkey_value

    Value of the TSIG key secret

  2. Update the pools in Designate.

    $ designate-manage pool update

    Refer to the OpenStack Designate documentation for more information on the designate-manage pool command. For details on the YAML file syntax, refer to here.

Step 2: Configure the TSIG key

In some situations, a deployer may need to use TSIG keys to sign AXFR (zone transfer) requests. If TSIG is required, it must be configured for each zone individually since NS1 does not support a per-host key setup.

The following example uses the OpenStack CLI. When using the OpenStack command-line client, follow these steps to configure a TSIG key:

  1. Generate a TSIG key using any of the available utilities (e.g., tsig-keygen):

    $ tsig-keygen -a hmac-sha512 testkey
key "testkey" {
algorithm hmac-sha512;
secret "vQbMI3u5QGUyRu6FWRm16eL0F0dfOOmVJjWKCTg4mIMNnba0g2PLrV+0G92WcTfJrgqZ20a4hv3RWDICKCcJhw==";
};

  2. Make a POST API call to /v2/tsigkeys, as referenced in the OpenStack API documentation. The resource_id will be the pool_id you configured for NS1 as part of your OpenStack installation.

    openstack tsigkey create --name testkey --algorithm hmac-sha512 --secret 4EJz00m4ZWe005HjLiXRedJbSnCUx5Dt+4wVYsBweG5HKAV6cqSVJ/oem/6mLgDNFAlLP3Jg0npbg1SkP7RMDg== --scope POOL --resource-id 794ccc2c-d751-44fe-b57f-8894c9f5c842

  3. Add the TSIG-related config lines to the pools.yaml file as described above.

Related articles