Difference between revisions of "Dynamic DNS"

From EGIWiki
Jump to: navigation, search
 
(35 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:EGI-Engage menubar}} {{TOC_right}}  
 
{{Template:EGI-Engage menubar}} {{TOC_right}}  
  
= Objective =
+
= Objective =
  
Supports for DNS names for VMs in EGI Federated cloud are recently required by many VOs. The aim of this task is to provide Dynamic DNS support for VMs in EGI Federated Clouds. Users can register their chosen meaningful and memorable DNS host names in given domains (e.g. my-server.vo-name.egi.eu) and assign to public IPs of their servers hosted in EGI Federated Cloud. By using Dynamic DNS, users can host services in EGI Federated Cloud with their meaningful server names, can freely move VMs from sites to sites without modifying server/client configurations (federated approach), can request valid server certificates in advance (critical for security)and many other advantages.
+
DNS names for VMs in EGI Federated cloud are recently required by many VOs [https://docs.google.com/spreadsheets/d/1pKBNuHV9FgQ-k6cIQ_2Eez_y6KZsiSVoLKW953QVkyo/edit#gid=0 requirements]  , however, current support for DNS resolution at site level is inadequate and fragmented.  
  
 +
The aim of this task is to provide united, federation-wide Dynamic DNS support for VMs in EGI Federated Clouds. Users can register their chosen meaningful and memorable DNS host names in given domains (e.g. my-server.vo-name.egi.eu) and assign to public IPs of their servers hosted in EGI Federated Cloud. By using Dynamic DNS, users can host services in EGI Federated Cloud with their meaningful service names, can freely move VMs from sites to sites without modifying server/client configurations (federated approach), can request valid server certificates in advance (critical for security)and many other advantages.
  
= Participants =
+
A short presentation of the task is available [https://drive.google.com/file/d/0B-BKNHNUi7TDRzB6ZUxoZHAyalU/view?usp=sharing here]
  
Viet Tran (IISAS) viet.tran _at_ savba.sk
 
  
 +
= How to use EGI FedCloud Dynamic DNS service  =
  
= Requirements =
+
Using EGI FedCloud Dynamic DNS service is very simple and intuitive via GUI portal. Just go to https://nsupdate.fedcloud.eu and follow the menu in the portal. Concretely:
  
* Basic functionalities
+
*Dynamic DNS service uses EGI CheckIn for authentication. If you have not EGI account yet, please register via https://sso.egi.eu/admin/
** Web-based GUI interfaces for registering DNS hostnames for EGI users
 
** DNS server with Dynamic DNS support for forward DNS resolution
 
** Command-line clients for assigning registered hostnames to IPs
 
  
* Advanced functionalities
+
*Log into Dynamic DNS service portal using EGI account via menu "Login" and click on "egi" button
  
** Using EGI Checkin services
+
*Use "Overview" menu and click on "Add host" to register a new hostname in an available domain. Choose a hostname in an available domain and click on "Create"
** Command-line client for registering DNS names
 
  
*Not compulsory but desired functionalities
+
*Follow the instruction after host creation for IP assignment/update. Note the host secret and the update URL (in form "https://HOSTNAME:SECRET@nsupdate.fedcloud.eu/nic/update") and save them for later use
  
** Support for reverse DNS
+
*Run "curl https://HOSTNAME:SECRET@nsupdate.fedcloud.eu/nic/update" in your VM to assign the hostname to a running VM
  
= Used technologies =
+
*or add "curl https://HOSTNAME:SECRET@nsupdate.fedcloud.eu/nic/update" into cloud_init file to assign hostname automatically at start.
  
* BIND9 server with configuration for updating DNS names via RFC 2136
+
*You can edit/update/delete your registered hostnames in the "Overview" menu and click on the hostname
* nsupdate.info software for registering and managing DNS names/domains
 
  
= Current status =
 
  
* A testing domain fedcloud.eu has been registered for testing and development (without touching production domains like egi.eu)
+
Please feel free to test and send your feedbacks/suggestions/comments to viet.tran@savba.sk
* DNS servers are installed and configured for fedcloud.eu domain
 
* Portal is installed on configured
 
* Users can register themselves and log in portal, can register DNS names within fedcloud.eu domain and assign to VMs
 
* Integrate to EGI CheckIn service
 
  
= Ongoing work =
+
= FAQ =
  
* Clean up codes
+
*For updating IP address, only hostname and its secret are needed. No user information is stored on VM in any form for updating IP.
* Justify setting and user interface
 
* Defining policies
 
* Preparation for alpha/beta testing
 
  
= Next steps =
+
*NS-update server uses HTTPS protocol, hostname/secret are encrypted as data and not visible during transfer so it is secure to use the update URL
  
* Support for command-line clients for registering domains
+
*Hostnames/IP addresses are not expired so no need to refresh IP addresses if no changes, it is enough to run once. You can add the following command “curl https://HOSTNAME:SECRET@nsupdate.fedcloud.eu/nic/update” to cloud-init to assign hostname automatically at VM start
  
= Long term work =
+
*If you get an error message when logging into NS-update server via EGI CheckIn, your browser may have expired token from EGI CheckIn. Try open this link https://aai-dev.egi.eu/oidc/saml/login in your browser to refresh the token or restart your browser
  
* Support for reverse DNS resolution
+
*DNS server set Time-to-Live (max time for caching DNS records) to 1 min for dynamic DNS, but MS Windows seems to not respect that. You can clear DNS cache in Windows with “ipconfig /flushdns” command with Administrator account
 +
 
 +
*NS-update portal does not store host secret in recoverable form. If you forget the secret of your hostname, simply generate new one via "Show configuration" button in the host edit page. The old secret will be invalid.
 +
 
 +
= API =
 +
 
 +
Dynamic DNS update server uses dydns2 protocol, compatible with commercial providers like [https://help.dyn.com/remote-access-api/perform-update/ dyn.com], [http://www.noip.com/integrate/request noip.com]. The API is specified as follows:
 +
 
 +
GET /nic/update?hostname=yourhostname&myip=ipaddress
 +
Host: nsupdate.fedcloud.eu
 +
Authorization: Basic base64-encoded-auth-string
 +
User-Agent:
 +
 
 +
Where
 +
 
 +
base64-encoded-auth-string: base64 encoding of username:password
 +
username: your host name
 +
password: your host secret
 +
hostname in the parameter string can be omitted or must be the same as username
 +
myip in the parameter string if omitted, the IP address of the client in the GET request will be used
 +
 
 +
Using hostname/secret as username/password can significantly increase security as no user credential is needed for updating IP address for VMs
 +
 
 +
= Participants  =
 +
 
 +
Developer
 +
 
 +
*Viet Tran (IISAS) viet.tran@savba.sk
 +
 
 +
= Requirements  =
 +
 
 +
*Basic functionalities
 +
**Web-based GUI interfaces for registering DNS hostnames for EGI users (done)
 +
**DNS server with Dynamic DNS support for forward DNS resolution (done)
 +
**Command-line clients for assigning registered hostnames to IPs (done)
 +
 
 +
*Advanced functionalities
 +
**Using EGI Checkin services (authentication done, authorization ongoing)
 +
**Command-line client for registering DNS hostnames (next period)
 +
 
 +
*Not compulsory but desired functionalities
 +
**Support for reverse DNS resolution (long term)
 +
 
 +
= Used technologies  =
 +
 
 +
*Backend: BIND9 DNS server with configuration for updating DNS names via RFC 2136
 +
*Frontend: nsupdate.info portal for registering and managing DNS names/domains
 +
*Clients: Wide support of common dynamic DNS clients like ddclient, inadyn, or just curl
 +
 
 +
= Current status  =
 +
 
 +
*A domain fedcloud.eu has been registered for operation
 +
*DNS servers are installed and configured for fedcloud.eu domain
 +
*Portal is installed on configured https://nsupdate.fedcloud.eu/
 +
*Users can register themselves and log in portal, can register DNS names within fedcloud.eu domain and assign to VMs
 +
*Authentication via EGI CheckIn service is supported
 +
 
 +
= Next step  =
 +
 
 +
*Authorization via VO memberships

Latest revision as of 21:39, 3 January 2021

EGI-Engage project: Main page WP1(NA1) WP3(JRA1) WP5(SA1) PMB Deliverables and Milestones Quality Plan Risk Plan Data Plan
Roles and
responsibilities
WP2(NA2) WP4(JRA2) WP6(SA2) AMB Software and services Metrics Project Office Procedures



Objective

DNS names for VMs in EGI Federated cloud are recently required by many VOs requirements  , however, current support for DNS resolution at site level is inadequate and fragmented.

The aim of this task is to provide united, federation-wide Dynamic DNS support for VMs in EGI Federated Clouds. Users can register their chosen meaningful and memorable DNS host names in given domains (e.g. my-server.vo-name.egi.eu) and assign to public IPs of their servers hosted in EGI Federated Cloud. By using Dynamic DNS, users can host services in EGI Federated Cloud with their meaningful service names, can freely move VMs from sites to sites without modifying server/client configurations (federated approach), can request valid server certificates in advance (critical for security)and many other advantages.

A short presentation of the task is available here


How to use EGI FedCloud Dynamic DNS service

Using EGI FedCloud Dynamic DNS service is very simple and intuitive via GUI portal. Just go to https://nsupdate.fedcloud.eu and follow the menu in the portal. Concretely:

  • Dynamic DNS service uses EGI CheckIn for authentication. If you have not EGI account yet, please register via https://sso.egi.eu/admin/
  • Log into Dynamic DNS service portal using EGI account via menu "Login" and click on "egi" button
  • Use "Overview" menu and click on "Add host" to register a new hostname in an available domain. Choose a hostname in an available domain and click on "Create"
  • You can edit/update/delete your registered hostnames in the "Overview" menu and click on the hostname


Please feel free to test and send your feedbacks/suggestions/comments to viet.tran@savba.sk

FAQ

  • For updating IP address, only hostname and its secret are needed. No user information is stored on VM in any form for updating IP.
  • NS-update server uses HTTPS protocol, hostname/secret are encrypted as data and not visible during transfer so it is secure to use the update URL
  • If you get an error message when logging into NS-update server via EGI CheckIn, your browser may have expired token from EGI CheckIn. Try open this link https://aai-dev.egi.eu/oidc/saml/login in your browser to refresh the token or restart your browser
  • DNS server set Time-to-Live (max time for caching DNS records) to 1 min for dynamic DNS, but MS Windows seems to not respect that. You can clear DNS cache in Windows with “ipconfig /flushdns” command with Administrator account
  • NS-update portal does not store host secret in recoverable form. If you forget the secret of your hostname, simply generate new one via "Show configuration" button in the host edit page. The old secret will be invalid.

API

Dynamic DNS update server uses dydns2 protocol, compatible with commercial providers like dyn.com, noip.com. The API is specified as follows:

GET /nic/update?hostname=yourhostname&myip=ipaddress
Host: nsupdate.fedcloud.eu
Authorization: Basic base64-encoded-auth-string
User-Agent:

Where

base64-encoded-auth-string: base64 encoding of username:password
username: your host name
password: your host secret
hostname in the parameter string can be omitted or must be the same as username
myip in the parameter string if omitted, the IP address of the client in the GET request will be used

Using hostname/secret as username/password can significantly increase security as no user credential is needed for updating IP address for VMs

Participants

Developer

  • Viet Tran (IISAS) viet.tran@savba.sk

Requirements

  • Basic functionalities
    • Web-based GUI interfaces for registering DNS hostnames for EGI users (done)
    • DNS server with Dynamic DNS support for forward DNS resolution (done)
    • Command-line clients for assigning registered hostnames to IPs (done)
  • Advanced functionalities
    • Using EGI Checkin services (authentication done, authorization ongoing)
    • Command-line client for registering DNS hostnames (next period)
  • Not compulsory but desired functionalities
    • Support for reverse DNS resolution (long term)

Used technologies

  • Backend: BIND9 DNS server with configuration for updating DNS names via RFC 2136
  • Frontend: nsupdate.info portal for registering and managing DNS names/domains
  • Clients: Wide support of common dynamic DNS clients like ddclient, inadyn, or just curl

Current status

  • A domain fedcloud.eu has been registered for operation
  • DNS servers are installed and configured for fedcloud.eu domain
  • Portal is installed on configured https://nsupdate.fedcloud.eu/
  • Users can register themselves and log in portal, can register DNS names within fedcloud.eu domain and assign to VMs
  • Authentication via EGI CheckIn service is supported

Next step

  • Authorization via VO memberships