Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add peering .service and .node DNS lookups. #15596

Merged
merged 4 commits into from
Nov 29, 2022
Merged

Add peering .service and .node DNS lookups. #15596

merged 4 commits into from
Nov 29, 2022

Conversation

hashi-derek
Copy link
Member

This PR improves support for DNS lookups on peered .service and .node queries. Prior to this PR, peered lookups were only supported for .virtual queries.

Node Lookups

For .node lookups, only A and AAAA queries are supported in Consul. New .peer and .dc qualifiers are introduced into OSS, similar to Enterprise, which allows users to specify between the two.

In OSS, existing node lookups had a format of mynode.node.dc1.some-domain.

Now they can also be queried with any of the following:

  • mynode.node.dc1.some-domain
  • mynode.node.dc1.dc.some-domain
  • mynode.node.peer1.peer.some-domain

With peered nodes only being accessible via the .peer qualifier.

Service Lookups

For .service DNS lookups, SRV records are supported in addition to the standard A and AAAA that nodes have. Similar to nodes, they have been given extra qualifiers to indicate .peer and .dc lookups.

In OSS, existing service lookups had a format of mysvc.service.dc1.some-domain.

Now they can also be queried with any of the following:

  • mysvc.service.dc1.some-domain
  • mysvc.service.dc1.dc.some-domain
  • mysvc.service.peer1.peer.some-domain

Since SRV records can return the FQDN of a node, the following outputs are now expected:

;; ANSWER SECTION:
mysvc.service.consul.	0	IN	SRV	1 1 9001 mylocalnode.node.dc1.some-domain.


;; ANSWER SECTION:
mysvc-peered.service.consul.	0	IN	SRV	1 1 9001 mypeernode.node.peer1.peer.some-domain.

With the local node response format being unchanged by this PR.

Addr Lookups

Consul supports the concept of an .addr lookup, which essentially provides an IP address in DNS form. They often look like c0a8017b.addr.dc1.some-domain where c0a8017b is a hex-encoded IP address. These are typically sent back as a response in an SRV record whenever there is no valid FQDN alternative to use.

These lookups technically do not query the state store at all, and are simply parsed and converted from hexadecimal format into a real IP address before responding.

For addr lookups, both of the following formats are equivalent and supported prior to this PR:

;; ANSWER SECTION:
c0a8017b.addr.dc1.some-domain. 0	IN	A	192.168.1.123

;; ANSWER SECTION:
c0a8017b.addr.some-domain. 0	IN	A	192.168.1.123

The .dc1 is effectively ignored since only basic text-parsing is performed.

For peering, whenever we respond in an SRV record with a .addr, we will emit it without the .dc1 component so that it is more clear that it is not an IP address that is part of the local DC. This is mostly a cosmetic change, but could provide value for some users that wish to distinguish the two apart.

;; ANSWER SECTION:
mysvc.service.some-domain.	0	IN	SRV	1 1 9001 c0a8017b.addr.dc1.some-domain.

;; ANSWER SECTION:
mysvc-peered.service.some-domain.	0	IN	SRV	1 1 9001 c0a8017b.addr.some-domain.

PTR Lookups

These are still unsupported for peering, as the format of 1.0.0.127.in-addr.arpa is fixed, and would introduce a potential breaking change if a peering connection was introduced into the existing list. IP addresses on peered services could potentially conflict with that of the local datacenter, and should therefore be excluded.

@hashi-derek hashi-derek marked this pull request as ready for review November 29, 2022 17:23
DanStough
DanStough approved these changes Nov 29, 2022
View reviewed changes
Copy link
Contributor

@DanStough DanStough left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

agent/dns_oss_test.go Outdated Show resolved Hide resolved
@hashi-derek @DanStough
Update agent/dns_oss_test.go
08fda9e 
Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
@hashi-derek hashi-derek merged commit 95dc0c7 into main Nov 29, 2022
@hashi-derek hashi-derek deleted the derekm/NET-1662/peering-dns branch November 29, 2022 18:23
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Nov 29, 2022
Merged
jmurret pushed a commit that referenced this pull request Dec 2, 2022
@hashi-derek @jmurret
Add peering .service and .node DNS lookups. (#15596)
d0f111c 
Add peering `.service` and `.node` DNS lookups.
@jkirschner-hashicorp jkirschner-hashicorp mentioned this pull request Dec 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DanStough DanStough DanStough approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hashi-derek @DanStough