Bug 1690943

Summary: RFE: network: expose dnsmasq auth-zone feature
Product: [Community] Virtualization Tools Reporter: Petr Menšík <pemensik>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: crobinso, libvirt-maint, pemensik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Menšík 2019-03-20 14:13:57 UTC 
Description of problem:
Network tag has option domain with optional localOnly parameter. This parameter ensures under given domain name, no other names would be forwarded to upstream dns servers.

However, this feature is not simple enough to take advantage. dnsmasq is great it handles all names inside. But any such domain cannot be simply delegated from outside name servers. Dnsmasq has option to act as authoritative server for given domain. I would like to use dnsmasq authoritative, so it does return NXDOMAIN for names that do not exist without query to upstream. At the same time, it would


Version-Release number of selected component (if applicable):
libvirt-4.7.0-1.fc29.x86_64

How reproducible:
always

Steps to Reproduce:
1. virsh net-edit default
<network>
...
<domain name='vm' localOnly='yes'/>
...
2. dig @192.168.122.1 -t SOA -q vm
3. dig +norec @192.168.122.1 nonexistent.vm

Actual results:
# 2.
; <<>> DiG 9.11.6-RedHat-9.11.6-2.fc29 <<>> +norec @vhost-ns.vm -t SOA -q vm
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20970
;; flags: qr ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vm.				IN	SOA

# 3.
; <<>> DiG 9.11.6-RedHat-9.11.6-2.fc29 <<>> +norec @vhost-ns.vm -t A nonexistent.vm
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53947
;; flags: qr ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nonexistent.vm.			IN	A


Expected results:
dig -p 8153 @localhost -t SOA vm

# 2.
; <<>> DiG 9.11.6-RedHat-9.11.6-2.fc29 <<>> -p 8153 @localhost -t SOA vm
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60467
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vm.				IN	SOA

;; ANSWER SECTION:
vm.			600	IN	SOA	. . 1 1200 180 1209600 600

;; AUTHORITY SECTION:
vm.			600	IN	NS	.
vm.			600	IN	NS	vm.

# 3.
; <<>> DiG 9.11.6-RedHat-9.11.6-2.fc29 <<>> +norec -p 8153 @localhost -t A nonexistent.vm
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62707
;; flags: qr ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nonexistent.vm.			IN	A


Additional info:

Dnsmasq has option auth-zone=<domain>, which I think should be possible to use. If hosts are in such zones, non recursive queries will not fail. Also, dnsmasq would think he is authoritative and return NXDOMAIN on unknown names directly.

But I think the biggest advantage is simplicity of forwarding subdomain to dnsmasq. If there is normal recursive server on local network, that allows modification of some records, just a modification of dns zone would allow all such names to be available on whole network.

Example:
<domain localOnly=yes authoritative=yes>pemensik.vm</domain>

Then into vm.db zone, lets say provided by BIND, i would have to add just:

pemensik.vm. IN NS pemensik-libvirt.vm
pemensik-libvirt IN A 10.1.2.28

pemensik-libvirt is IP of libvirt interface on my computer, where I allowed access in firewall. Now anyone can use name machine1.pemensik.vm in local network and access my computer. Great think it can use just nsupdate tool from DHCP to configure always different names. It would scale quite well.

Unfortunately recent dnsmasq does not respond to queries with +norec at all, always returns REFUSED. It would not return such reply in authoritative mode, but I think it is not possible to enable it from libvirt.

Is there workaround to add dnsmasq specific options from virsh net-edit?
Comment 1 Petr Menšík 2019-03-20 14:19:44 UTC 
Also, authoritative mode would allow AXFR transfer of all parsed and allocated names.

dig @vhost-ns.vm -t AXFR vm

If that was not wanted, it can be disabled by dnsmasq option auth-peer=127.0.0.1 or something similar.
Comment 2 Cole Robinson 2020-11-18 13:55:06 UTC 
FWIW the <network> XML supports passing raw options to the dnsmasq config. That may be a workaround for this instance, it would be useful if someone could confirm it works:

https://libvirt.org/formatnetwork.html#elementsNamespaces

Example would be like:

<network xmlns:dnsmasq='http://libvirt.org/schemas/network/dnsmasq/1.0'>
  ...
  <dnsmasq:options>
    <dnsmasq:option value="auth-zone=XXX/>
  </dnsmasq:options>
</network>