Wednesday, 2014-02-05

« Tuesday, 2014-02-04 Index Thursday, 2014-02-06 »
*** artom has joined #openstack-dns00:21
*** artom has quit IRC00:22
*** CaptTofu has joined #openstack-dns00:24
*** matsuhashi has joined #openstack-dns00:25
*** CaptTofu has quit IRC00:28
*** jmcbride has joined #openstack-dns00:45
*** jmcbride has quit IRC00:46
*** jorgem has joined #openstack-dns00:56
*** nosnos has joined #openstack-dns00:57
*** nosnos has quit IRC01:01
*** nosnos has joined #openstack-dns01:01
*** jorgem has quit IRC01:16
*** nkinder has joined #openstack-dns01:19
*** CaptTofu has joined #openstack-dns01:32
*** nkinder has quit IRC01:51
*** elemecca has quit IRC02:25
*** jmcbride has joined #openstack-dns02:36
*** jmcbride has quit IRC02:41
*** jmcbride has joined #openstack-dns02:42
*** CaptTofu has quit IRC02:53
*** CaptTofu has joined #openstack-dns02:55
*** jmcbride has quit IRC03:01
*** vinod has joined #openstack-dns03:56
*** CaptTofu has quit IRC04:09
*** CaptTofu has joined #openstack-dns04:09
*** CaptTofu has quit IRC04:14
*** rossk has joined #openstack-dns04:21
*** rossk has quit IRC06:15
*** rossk has joined #openstack-dns06:16
*** rossk has quit IRC06:19
*** rossk has joined #openstack-dns06:20
*** rossk has quit IRC06:56
*** rossk has joined #openstack-dns06:57
*** rossk has quit IRC07:01
*** vinod has quit IRC07:06
*** nkinder has joined #openstack-dns08:02
*** rossk has joined #openstack-dns08:07
*** CaptTofu has joined #openstack-dns08:11
*** rossk has quit IRC08:12
*** CaptTofu has quit IRC08:16
*** matsuhashi has quit IRC08:54
*** matsuhashi has joined #openstack-dns08:55
*** CaptTofu has joined #openstack-dns10:12
*** CaptTofu has quit IRC10:16
*** nosnos has quit IRC10:53
*** krow has quit IRC10:57
*** timfreund has quit IRC11:13
*** timfreund has joined #openstack-dns11:35
*** CaptTofu has joined #openstack-dns12:07
*** timfreund has quit IRC12:08
*** CaptTofu has quit IRC12:36
*** CaptTofu has joined #openstack-dns12:36
*** CaptTofu has quit IRC12:41
*** artom has joined #openstack-dns13:02
*** CaptTofu has joined #openstack-dns13:17
*** vinod has joined #openstack-dns13:43
*** vinod has quit IRC13:43
*** CaptTofu has quit IRC13:46
*** vinod has joined #openstack-dns13:49
*** zigo_ is now known as zigo13:50
*** CaptTofu has joined #openstack-dns13:50
*** vinod has quit IRC14:03
*** eankutse has joined #openstack-dns14:12
*** eankutse has quit IRC14:13
*** eankutse has joined #openstack-dns14:14
*** msisk has joined #openstack-dns14:59
*** vinod has joined #openstack-dns15:00
*** vinod1 has joined #openstack-dns15:03
*** vinod has quit IRC15:05
*** matsuhashi has quit IRC15:17
*** matsuhashi has joined #openstack-dns15:18
*** jmcbride has joined #openstack-dns15:31
*** vinod1 has quit IRC15:33
*** matsuhashi has quit IRC15:34
*** jmcbride has quit IRC15:34
*** richm has joined #openstack-dns15:38
*** harmw has joined #openstack-dns15:39
*** jmcbride has joined #openstack-dns15:40
*** jmcbride has quit IRC15:51
*** jmcbride has joined #openstack-dns15:52
*** vinod has joined #openstack-dns16:06
*** jmcbride has quit IRC16:06
*** jmcbride has joined #openstack-dns16:10
*** vinod has quit IRC16:16
*** msisk has quit IRC16:17
*** artom has quit IRC16:21
*** rossk has joined #openstack-dns16:29
*** vinod has joined #openstack-dns16:32
*** eankutse1 has joined #openstack-dns16:36
*** eankutse1 has quit IRC16:36
*** eankutse has quit IRC16:38
*** rossk has quit IRC16:41
*** rossk has joined #openstack-dns16:42
*** rossk has quit IRC16:46
*** CaptTofu has quit IRC16:48
vinodI updated some of the agenda items for today's irc meeting.  If anybody else has additional items feel free to add at https://wiki.openstack.org/wiki/Meetings/Designate#Agenda16:48
*** jorgem has joined #openstack-dns16:49
openstackgerritLukasz Jernas proposed a change to stackforge/designate: Various small fixes to documentation  https://review.openstack.org/7131016:55
*** artom has joined #openstack-dns16:57
vinoddesignate meeting to start on #openstack-meeting-alt in a few minutes17:02
*** timfreund has joined #openstack-dns17:04
*** betsy has joined #openstack-dns17:04
*** eankutse has joined #openstack-dns17:05
*** msisk_ has joined #openstack-dns17:10
*** CaptTofu has joined #openstack-dns17:33
*** rossk has joined #openstack-dns17:34
*** DeeJay1 has joined #openstack-dns17:41
openstackgerritA change was merged to stackforge/designate: Various small fixes to documentation  https://review.openstack.org/7131017:50
DeeJay1yay, thanks betsy17:52
*** eankutse has quit IRC17:59
richmTo me, looking at the current state of the designate design, was that designate was basically a rest + mq frontend to whatever backend DNS you wanted to use18:01
*** nkinder has quit IRC18:01
richmNot "all your base are belong to designate"18:01
kiallHeya :) Sorry for only joining the last 5 mins there, holidays and woo :)18:01
betsykiall: No problem18:01
kiallrichm: While technically, yes, it's currently possible to mix designate managed and other zones together, that's never been a goal.18:02
kiallWhenever we have a choice between allowing mix+match of designate managed vs unmanaged, and a simpler mechanism that only allows designate managed, we tend to choose the latter18:02
vinodthe problem with mix+match would be that using the rest api, we would see only the designate portion18:03
vinodalso who would be single source of truth18:03
kiallAnyway - My theory's of MS AD DNS is that we can support it, just not quite the way that might be the most obvious way to do it.. For example..18:03
richmvinod: not sure what you mean18:04
kiallcompany.com + _msdcs.company.com .. company.com would be a traditional designate zone, while _msdcs.company.com would be setup as a secondary zone, AXFR'ing from MS DNS18:04
vinoddesignate would have only the domains/records that it manages, while i assume AD would have the rest or all of them18:05
kiallat that point, everything is in mini-dns, and whatever backend is chosen will serve the zones.18:05
kiallThat backend could be MS AD DNS18:05
richmI guess I don't understand what would be in designate that would not be in MS DNS18:05
betsykiall: And when you say "is in mini-dns" you actually mean Central's storage, right?18:05
kiallbetsy: yep18:06
richmI mean, if a company is using MS AD for their entire corporate DNS, what is in the company but outside of that?18:06
kiallrichm: If a company is using MS AD for their DNS, putting designate on top won't help them in any way - unless they migrate the zones to be under designates control.18:07
kiallDesignates design is such that the Designate database, rather than the DNS server, is the single source of truth.18:07
kiallThe is the opposite of, e.g. Neutron, where the switches etc are the source of truth.18:07
*** jmcbride1 has joined #openstack-dns18:07
richmok - that's going to be a non-starter for some of our customers, who will expect designate to be just a rest + mq frontend for their DNS18:07
kiallSo - If Designate was layered on top of MS AD DNS, and mixing designate managed + unmanaged zones is supported, existing zones would still be invisible via the API.18:08
*** jmcbride has quit IRC18:08
richmI still don't understand - if a company is using MS AD for their entire corporate DNS, what is in the company but outside of that?  What zone would be unmanaged by the corporate DNS?18:09
*** jmcbride1 has quit IRC18:10
kiallrichm: Well, exactly, if everything is MS AD hosted, and they are unwilling to migrate those zones, then they get no benefit to using Designate. Put in another context, if an entire company is running in Hyper-V, and that company is unwilling to migrate those VMs to Nova's control (using Hyper-V as the virt layer) they get zero benefit to installing Nova.18:11
richmok, let me ask this in another way - if we have a fully functional DNS backend, that can do every sort of CRUD operation possible with the DNS master server, why does designate need to be the master of that DNS data?18:13
kiallI think we're actually on a path that leads us to a better position that Nova has in that story above. Where, eventually, we support inbound AXFR's, and can as a result, import those pre-existing zones and distribute them over the Designate managed namservers. Allowing a slow or partial migration.18:13
kiallrichm: When you say "master", are you referring to a DNS master or source of truth?18:14
richmthe source of truth18:14
richmwhere the source of truth is e.g. the existing corporate DNS server(s)18:15
*** jmcbride has joined #openstack-dns18:16
kiallcrappy hotel wifi -_-18:16
artomBetter than creepy hotel wifi ;)18:17
kiallOkay -  So Designate made the choice that it would be the source of truth for all data, it's design is such that making the DNS server the source of truth would be hard..18:17
kiallThe disadvantages to letting the DNS server be the source of truth are scaling (easier to scale a DB than scaling the reads of BIND9 zonefiles off a single master server), ability to store and manage non traditional DNS data - for example tenant_id's etc18:18
kialland - the application becomes much more complex, as essentially the whole thing exists in a DNS server specific plugin18:19
betsyOur (Rackspace's) use case also calls for Designate to be the source of truth18:19
richmI can understand that bind + zonefile performance is bad18:20
richmI can understand that minidns makes implementation much, much easier18:20
kiallbetsy: I think most DNS providers would agree with that, the difficulty is balancing what we as providers want with what enterprise wants :)18:20
*** krow has joined #openstack-dns18:20
richmI can understand that Designate will have to store things outside of the DNS server18:20
richmBut all of these things are solvable in other ways, perhaps not as elegantly18:21
kiallAnyway - Making MS AD the source of truth is doable.. A storage plugin that mixed a SQL DB (or w/e) with MS AD would work18:21
kiallAt that point, you would just have a no-op DNS backend plugin, as the write the storage replaces it18:22
kiallbrb - have to run down to the hotel lobby. Will be 5 mins.18:22
*** jmcbride1 has joined #openstack-dns18:23
richmI guess the Rackspace model is that since Rackspace hosts everything, including DNS, the customer really doesn't care, and has no idea, about the underlying DNS?18:23
vinodyes that is correct18:24
richmAnd since you guys are struggling daily with bind performance + manageability, you are really wanting a much better DNS implementation?18:24
*** jmcbride has quit IRC18:25
richmand latency (the time between when you tell Designate to add a record and the time when a client can actually query a record) is not an issue because . . .?18:26
vinodour current implementation has several different pieces managed by different groups with some of the pieces not being actively maintained.  designate would make it easier to manage18:27
*** elemecca has joined #openstack-dns18:28
ekarlsoello folks18:28
vinodrich when you say the client querying a record - do you mean querying through the rest api or getting to the record by having the address etc. resolved18:29
vinodekarlso: hello18:30
kiallback18:31
ekarlsowhat's up ?18:32
kiallrichm: so, anyway, I don't think mini-dns or any of the other changes preclude using MS AD DNS, or even having MS AD DNS as the source of truth. it's just simply not something we've been working towards.18:32
richmok18:33
richmthat's fine18:33
artomkiall, well, mini-dns kinda would though, no?18:33
kiallIf MS AD *must* be the source of trust, and a slow migration of the non AD managed zones (i.e. everything but the _msdcs.* zones) is unacceptable, then building a storage driver that talks to MS AD DNS should always be doable18:33
artomUnless you make it optional...18:33
artomOr disable-able...18:34
artomWhich I guess it will be, if it's just a separate service...18:34
kiallmini-dns would always be "optional" if your storage driver talked straight to the DNS servers. The back half of the system would just be unused..18:35
kiallThere would probably be some quirks around handling of pools etc18:35
kiallBut - At a single enterprise scale, pools are likely unnecessary18:35
artomBut the API would have them...18:35
artomSo you're exposing a concept that doens't actually exist in the back half...18:36
kiallYep - The custom storage driver would need to handle the quriks, e.g. sharding across multiple storage drivers based on the pool ID18:36
kiall(e.g. pool #1 = MS AD DNS backed, pool #2+ = Standard SQL storage driver with BIND/PowerDNS etc)18:36
artomWeirdness all around then ;)18:37
richmIndeed18:37
kiallartom: yep - weirdness, but workable :)18:37
richmI would just like it to be _possible_, not necessarily easy, to use designate with other-DNS-server-as-source-of-truth18:38
artomI think my gf said that of me once ;)18:38
artomrichm, I think what kiall just explained is basically it...18:38
richmI mean, isn't that how it works, right now, without minidns?18:38
kiallrichm: The current storage layer would make it workable without core changes. I don't foresee any major changes to that layer which would make it impossible.18:38
kiallrichm: no, we never "read" from the DNS server's - Only ever our own database18:39
richmah, I see18:40
kiallAnyway - Making MS AD DNS the source of truth is doable, just not what we've designed for.18:41
*** jmcbride1 has quit IRC18:41
kiallThat said - The storage layer is probably pretty close to what it might look like if we designed for it..18:41
kiallThe difference probably being there would be a split in the storage layer between DNS and non-DNS data18:41
richmmakes sense18:42
*** jmcbride has joined #openstack-dns18:42
kiallSo - have you been seeing demand for MS AD as the source of truth, or just general predictions?18:43
richmWe have had some customers that wanted IPA to use MS AD as the source of truth18:45
kiallekarlso: heya - hows santa clara?18:45
kiallrichm: interesting - was that something you guys solved in IPA?18:45
richmEven though they had to manually configure MS DNS for ldap records, kerberos, etc.18:45
richmIf by "solving" you mean "giving the customer a list of manual steps they had to do to configure their DNS properly so that IPA would work" then yes18:46
ekarlsokiall: lots of cool stuff18:46
richmNot just AD, but other DNS servers as well18:46
kiallAh - Okay, so setting up the IPA equivalent of the _msdcs zone?18:46
ekarlsoa ta talk on Intel DPDK vSwitch atm18:47
richmkiall: sort of, except that I don't think there is anything like an _ipa zone18:48
kiallYea - MS AD is weird in that sense, but the records within are all about discovering the LDAP/Krb/etc servers local to your site..18:49
richmIPA needs _ldap records, SRV records for kerberos, etc.18:50
richmnot familiar with _msdcs zone, will have to read up on that18:51
kiallAnyway - I think that's a little different, in that the equivalent to MS AD DNS being the source of truth for Designate would be MS AD being the source of truth for IPA's Users/Groups/Computers etc18:51
kiallrichm: it's filled with SRV records for the various servers.. Just structured in a way that lets you find the AD server in your building, rather than the "global" one18:51
richmok18:51
kiallAnd .. Think my internet is dud again18:52
richmThere are IPA customers who do want AD to be the authoritative source of user/group data18:52
kiallhttp://standalonelabs.wordpress.com/2011/05/08/what-is-the-_msdcs-subdomain/18:53
kiallrichm: I'm sure there are :) But did IPA implement that? :)18:53
richmkiall: yes, reading that now18:53
richmIPA provides a sync from AD, which would be something like an AXFR+IXFR18:53
richmIPA can also (or will shortly) be able to do a kerberos cross domain trust with AD18:54
richmwhich would be something like splitting things into two different zones/subzones18:54
richmin the sync case, AD is still master of the data, where the updates go, and IPA is just a shadow read-only copy of the user/group data18:56
kiallYea, The sync model is as you say essentially the inbound AXFR to designate model.. The trust model is just standard DNS18:56
richmso could we have minidns used as a slave of the corp dns?18:57
richmis that what you mean by inbound AXFR?18:57
*** elemecca has quit IRC18:59
kiall(Both of those are things that have been talked about several times.. And will be implemented at some point..)19:00
kiallYea, we've always talked about inbound AXFR support - where Designate would slave off, for example, MS AD and publish the zones to the DNS servers under it's control19:00
kiallCrappy crappy internet -_-19:00
*** elemecca has joined #openstack-dns19:02
*** vinod has quit IRC19:04
richmthen that might work too19:04
richmThanks for being patient with me.  There is still a lot I need to learn.  I have a lot of homework.19:06
kiallNo problem ;)19:07
kiallOkay - gotta run to what will probably end up as another 24 hours of travel..19:07
kiall"yay"19:08
richmbon voyage19:12
*** eankutse has joined #openstack-dns19:27
*** jmcbride has quit IRC19:27
*** eankutse has quit IRC19:45
*** eankutse has joined #openstack-dns19:45
DeeJay1just to drop some notes to that discussions. the use case at my company for designate is to provide domain names to hosts in designated subdomains, so designate can be the source of truth for *.sub.company.com, *.sub2.company.com etc where sub* are delegated to designate19:53
richmDeeJay1: What is your primary DNS server?19:55
DeeJay1richm: F5 GTM ;)19:55
richmIs there a backend for that?19:56
DeeJay1it was a bind server underneath, but that changed to something I don't know, but it's hidden underneath a SOAP API19:57
DeeJay1anyway we're using it that way that we have records like "sub.domain.com IN NS server_for_cloud"19:58
DeeJay1so designate doesn't have to know about it at all19:58
DeeJay1but like I said - it's just a use case we're currently using (though without designate yet)19:59
richmok19:59
richmgood to know about all of these different use cases20:00
*** shakayumi has joined #openstack-dns20:00
*** jmcbride has joined #openstack-dns20:02
*** shakayum_ has joined #openstack-dns20:02
*** shakayumi has quit IRC20:05
*** DeeJay1 has quit IRC20:21
*** jmcbride has left #openstack-dns20:31
*** jmcbride has joined #openstack-dns20:34
*** vinod has joined #openstack-dns20:47
*** jmcbride has quit IRC20:51
*** CaptTofu_ has joined #openstack-dns21:06
openstackgerritBetsy Luzader proposed a change to stackforge/designate: Create API calls to Manage Blacklisted Domains  https://review.openstack.org/6535921:07
*** msisk_ has quit IRC21:08
*** CaptTofu has quit IRC21:09
*** nkinder has joined #openstack-dns21:21
*** jmcbride has joined #openstack-dns21:52
*** jmcbride has quit IRC21:58
*** jmcbride has joined #openstack-dns21:58
*** betsy has quit IRC22:13
*** nkinder has quit IRC22:15
*** jmcbride has quit IRC22:21
*** jmcbride has joined #openstack-dns22:23
*** jmcbride has quit IRC22:28
*** vinod has quit IRC22:34
*** vinod has joined #openstack-dns22:36
*** artom has quit IRC22:39
*** CaptTofu_ has quit IRC22:45
*** shakayum_ has quit IRC22:54
*** vinod has quit IRC22:56
*** vinod has joined #openstack-dns22:59
*** vinod has quit IRC23:03
*** jorgem has quit IRC23:20
*** CaptTofu has joined #openstack-dns23:27
*** jmcbride has joined #openstack-dns23:33
*** HenryG has quit IRC23:41
*** jmcbride has quit IRC23:58
« Tuesday, 2014-02-04 Index Thursday, 2014-02-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!