Feature Design for: CloudStack DNS Framework and Plugins

Project Introduction


This document outlines the design for integrating a comprehensive and extensible DNS management framework into Apache CloudStack.

The primary goal is to provide users with the ability to manage DNS records (both manually and automatically) for their virtual machine instances and public IP addresses, using external DNS providers like PowerDNS, Cloudflare, BIND, or FreeIPA.

The design is plugin-based, allowing for easy integration of multiple DNS providers without modifying the core CloudStack code.

Github: https://github.com/apache/cloudstack/issues/9958

Glossary


This hierarchy:

DNS Provider Type (CloudStack Plugin) → DNS Server (Configuration) → DNS Zone (Container for DNS domains) → DNS Records (Data)


  • DNS Provider Type: The type of DNS server software/service.

    • Examples: powerdnscloudflarebindfreeipa

    • This corresponds to the Plugin Implementation.

  • DNS Server: A specific, configured instance of a DNS Provider Type, with its access credentials and connection details.

    • Examples: "NYC-PowerDNS-01", "Prod-Cloudflare", "Company-Bind-Master"

    • This corresponds to the dns_server table.

  • DNS Zone: A specific domain namespace managed by a DNS Server.

    • Examples: prod.example.comdev.app.cloud

    • This corresponds to the dns_zone table.

  • DNS Records: The individual records (A, AAAA, CNAME, etc.) within a DNS Zone.

Functional Description


Key Functional Components:

  • DNS Server Management

    • Add DNS Server: Configure connection to external DNS servers (PowerDNS, Cloudflare, BIND, etc.)

    • Server Validation: Test connectivity and authentication before enabling

  • DNS Zone Management

    • Zone Creation: Create DNS zones on configured DNS servers

    • Zone Delegation: Assign zones to specific accounts, domains, or networks

    • Zone Linking: Associate zones with CloudStack networks for automatic registration

    • Zone Properties: Configure TTL, DNSSEC, zone transfer settings

  • DNS Record Management

    • DNS Record Operations: Create/delete/update A, AAAA, CNAME, TXT records.

    • Support Bulk record operations

    • DNS Record Synchronization: import DNS records between CloudStack and DNS servers

  • Network Integration (Shared network)

    • VM Auto-Registration: Automatic A/AAAA record creation for VMs on shared networks

    • Fallback Domain: Use network domain if no specific zone is configured

    • Manual VM Registration: Per-VM DNS record management

    • Multi-DNSZone Support: Different DNS zones for different accounts

    • VM Lifecycle Events:

      • VM Create: Create A/AAAA record

      • VM Stop: Optionally remove record

      • VM Destroy: Remove DNS record

      • VM Assign: Update record if IP changes

      • VM NIC Added: Create additional records

      • VM NIC secondary IPs: Update DNS records if allowed

  • Network Integration (Isolated network)

    • Public IP Auto-Registration: Automatic DNS for allocated public IPs
    • Wildcard Support: Option for *.domain records for public IPs
    • Public IP events

      • Public IP Acquired: Create public-ip.X.domain wildcard record

      • Public IP Released: Remove DNS record

      • Static NAT Enabled: Create/update record vmname.domain

      • Static NAT Disabled: Remove DNS record vmname.domain
      • DNS for source NAT IP address

  • New feature: Floating IP (Shared/Isolated network) - TBD

    • Floating IP Operations: Create (with alias name), Update, Remove
    • Floating IP DNS Registration: DNS records for floating IP addresses

    • Multi-VM Association: Single floating IP DNS record pointing to multiple backend VMs (shared networks)

  • Advanced features
    • export records of DNS zone
    • import records of DNS zone from a TXT file
    • edit records of DNS zone in a text area

  • Other concerns

    • Access Control

    • Audit Logging: All DNS operations logged with timestamp and user

    • Record Validation: Prevent duplicate and conflicting records

    • DNSSEC Support: Optional DNSSEC signing for DNS zones

    • Resource Limitation: For domain and account

Development plans

PhaseMain goalnote
Step 1: DNS Server and Zone Management

Add CloudStack APIs for

  • create/update/delete/list DNS server accounts
  • create/update/delete/list DNS zones

including database changes


  • APIs are allowed for every user
  • zones are visible only for the owner.
  • Limited by resource limitation
Step 2: Support DNS Record Operations

Add CloudStack APIs for

  • get DNS records
  • create/update/delete/list DNS records

choose a DNS provider and set up in marvin node for smoke tests

  • PowerDNS as 1st implementation
  • Cloudflare (in next step maybe)
Step 3: DNS Registration for Shared Networks

This enables DNS registration for VMs in a Shared network.

  • Associate a DNS Zone to a Shared network
    • with optional sub domain name
  • Manual Registration (register DNS record with VM ID instead of ip address)
  • Automatic Registration
    • check for a dns_zone linked to the network (network_id).

    • If found, it uses that zone. If not, it falls back to the network's own domain field.


Step 4: DNS Registration for Isolated Network Public IPs

This enables DNS for public IPs acquired in an Isolated network.

  • Manual Registration (register DNS record with VM ID instead of ip address)

Step 5: Floating IP with DNS


(To Be discussed/decided)

This step introduces a Floating IP concept, which will not be allocated by any VMs as primary/secondary IPs

  • New Table: floating_ip
  • New APIs:
    • create/remove/list floating IP
    • associate/diassociate floating IP to VMs
  • manual/automatic  DNS registration




Database Changes

  • dns_server: Stores configured accounts on external DNS servers.

    • id (BIGINT, Primary Key)

    • uuid (VARCHAR(40))

    • name (VARCHAR(255)) - Human-readable name for the server instance (e.g., "NYC-PowerDNS-01", "Prod-Cloudflare").

    • provider_type (VARCHAR(255)) - Plugin identifier (e.g., powerdnscloudflarebind).

    • url (VARCHAR(255)) - Server API endpoint

    • port (INT)

    • api_key/credentials (Encrypted TEXT) - Secure storage for API authentication.

    • is_public (BOOLEAN) - Whether the DNS server is publicly accessible by other accounts without credentials.

    • public_domain_suffix (VARCHAR(255)) - The domain suffix can be used by other accounts without credentials (e.g., "public.prod.example.com").

    • name_servers (VARCHAR(255)) - The name servers, separated by comma ","

    • state (ENUM('Enabled', 'Disabled'))

    • created (DATETIME)

    • removed (DATETIME, NULL) - For soft deletion.

  • dns_zone: Represents a DNS zone (domain namespace) hosted on a DNS server.

    • id (BIGINT, Primary Key)

    • uuid (VARCHAR(40))

    • name (VARCHAR(255)) - Zone name (e.g., "prod.example.com").

    • dns_server_account_id (BIGINT, Foreign Key to dns_server.id) - The specific server hosting this zone.

    • external_reference (VARCHAR(255)) - The External Reference of this zone on external DNS servers.

    • domain_id (BIGINT, Foreign Key to domain.id, NULL) - For domain-specific zone ownership.

    • account_id (BIGINT, Foreign Key to account.id, NULL)

    • state (ENUM('Active', 'Inactive'))

    • created (DATETIME)

    • removed (DATETIME, NULL)

  • dns_zone_network_map: Stores the mappings of dns zone and cloudstack networks. Users can Link the zone to multiple networks for auto-registration.
    • id (BIGINT, Primary Key)
    • dns_zone_id (BIGINT, Foreign Key to dns_zone.id) - The dns zone.
    • network_id (BIGINT, Foreign Key to networks.id) - Network this zone is linked to.
    • sub_domain (VARCHAR(255)) - The sub domain name of the auto-registered DNS record
  • floating_ip: Stores floating IP addresses that can be dynamically associated with VMs
    • id (BIGINT, Primary Key)
    • uuid (VARCHAR(40))
    • ip_address (VARCHAR(40)) - The floating IP address.
    • network_id (BIGINT, Foreign Key to networks.id) - Network this IP belongs to.
    • account_id (BIGINT, Foreign Key to account.id) - Account owner.
    • domain_id (BIGINT, Foreign Key to domain.id) - Domain owner.
    • state (ENUM('Allocated', 'Associated', 'Released')) - IP allocation state.
    • associated_vm_count (INT) - Number of VMs currently associated (0 for none).
    • created (DATETIME)
    • removed (DATETIME, NULL) - Soft delete.

  • floating_ip_association: Maps floating IPs to VMs they're associated with.

    • id (BIGINT, Primary Key)

    • uuid (VARCHAR(40))

    • floating_ip_id (BIGINT, Foreign Key to floating_ip.id) - The floating IP.

    • vm_id (BIGINT, Foreign Key to vm_instance.id) - Associated VM.

    • created (DATETIME)

    • removed (DATETIME, NULL) - When association ended.

Non-Functional Requirements



User Interface

to be added.

Milestones


MilestonePlanned dateActual date
1Start development

2main Development is done

3dev testing is done

4add marvin/unit test

5Final dev review

6pass over to QA

7QA testing is done





References