Designate runs inside OpenStack and depends on Keystone, messaging, and backend DNS integrations.
Create custom policies in /etc/designate/policy.yaml:
# Restrict zone creation to admin role only
"create_zone": "role:admin or role:dns_admin"
# Allow recordset management for project members
"update_recordset": "role:dns_admin or project:%(project_id)s"
# Restrict zone transfers to specific users
"create_zone_transfer": "role:admin"
# Allow zone export only for admins
"export_zone": "role:admin or role:dns_admin"
[keystone_authtoken]
username = designate
project_name = service
project_domain_name = Default
user_domain_name = Default
Place certificate and key files:
sudo mkdir -p /etc/designate/ssl
sudo cp designate.crt designate.key /etc/designate/ssl/
sudo chmod 600 /etc/designate/ssl/designate.key
Configure in designate.conf:
[service:api]
enable_ssl_api = True
ssl_cert_file = /etc/designate/ssl/designate.crt
ssl_key_file = /etc/designate/ssl/designate.key
[keystone_authtoken]
cafile = /etc/ssl/certs/ca-certificates.crt
insecure = false
[storage:sqlalchemy]
connection = mysql+pymysql://designate:password@controller/designate?ssl_ca=/etc/ssl/certs/ca-certificates.crt
[DEFAULT]
# Use TLS for RabbitMQ connections
transport_url = rabbit://user:password@controller:5671/?ssl=1
# Enable heartbeat for connection monitoring
heartbeat_connect_timeout = 5
heartbeat_rate = 2
heartbeat_timeout_threshold = 0
/etc/designate/designate.conf with mode 0640root:designate# Example firewall rules (ufw)
sudo ufw allow from 10.0.0.0/24 to any port 9001 proto tcp
sudo ufw allow from 10.0.0.0/24 to any port 3306 proto tcp
sudo ufw allow from 10.0.0.0/24 to any port 5672 proto tcp
Configure TSIG keys for secure zone transfers to backend DNS servers:
BIND9 Backend (/etc/designate/pools.yaml):
- name: bind9_pool
description: BIND9 Backend Pool
nsd_type: bind9
masters:
- host: 10.0.0.10
port: 53
targets:
- type: bind9_rsabac128
host: 10.0.0.20
port: 53
key_file: /etc/designate/tsig/bind9.key
key_algorithm: hmac-rsa-sha256
Generate TSIG key:
dnssec-keygen -a hmac-sha256 -b 256 -n USER designate-bind9
BIND9 named.conf:
zone "example.com" {
type master;
file "/var/lib/bind/example.com.zone";
allow-update { key designate-key; 10.0.0.0/24; };
allow-transfer { none; };
};
[storage:sqlalchemy]
# Use SSL for database connections
connection = mysql+pymysql://designate:password@controller/designate?ssl_ca=/etc/ssl/certs/ca-certificates.crt&ssl_cert=/etc/designate/ssl/client.crt&ssl_key=/etc/designate/ssl/client.key
# Enable connection pooling limits
max_pool_size = 10
max_overflow = 20
pool_timeout = 10
[DEFAULT]
# Enable audit middleware
oslo_middleware = true
enable_v1_api = false
enable_v2_api = true
# Logging configuration
log_dir = /var/log/designate
log_file = designate.log
debug = false
[loggers]
keys = root, designate
[handlers]
keys = console, file
[formatters]
keys = audit
[formatter_audit]
format = %(asctime)s.%(msecs)03d %(levelname)s %(name)s [%(request_id)s] [%(user_name)s] [%(project_name)s] %(message)s
datefmt = %Y-%m-%d %H:%M:%S
Forward logs to centralized logging system (ELK, Splunk, Graylog):
[handler_syslog]
class = handlers.SysLogHandler
args = ('/dev/log', handlers.SysLogHandler.LOG_USER)
level = INFO
formatter = audit
Configure in /etc/designate/api-paste.ini:
[filter:ratelimit]
paste.filter_factory = oslo.middleware:RateLimitFactory
limits = ^/v2/zones:POST=100/minute,^/v2/zones:PUT=200/minute,^/v2/recordsets:POST=500/minute
| Port | Service | Access |
|---|---|---|
| 9001 | designate-api | Load balancer/reverse proxy only |
| 5353 | designate-mdns | Internal network only |
| 3306 | MariaDB/MySQL | Designate hosts only |
| 5672 | RabbitMQ | OpenStack services only |
Use Apache or Nginx as reverse proxy:
Nginx Example:
server {
listen 443 ssl;
server_name designate.example.com;
ssl_certificate /etc/ssl/certs/designate.crt;
ssl_certificate_key /etc/ssl/private/designate.key;
location / {
proxy_pass http://127.0.0.1:9001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}