 Hi Graham Hayes I work for Microsoft Azure currently I was the PTL of the open stack designate, which is the DNS service project for about four or five years and I currently sit on the open stack technical committee. Contact details are there there'd be links to the slides further on. If you have any questions later on threat threat threat the event just use any of these and I can help evangelize a designate even more. So for those of you who aren't familiar with open stack. Open stack is a open source infrastructure as a service solution so it's made up of. A huge amount of smaller discrete components that combine into one full solution and it has designated is just one part of that so you can see. We're over here in the networking section. And. Because of everything being discrete API's all the different components talk to each other over these API's. So the core design and the core tenants of what open stack is that everything should be multi tenant from the very beginning. It should support having discrete segmented user space so people can only see what the things are supposed to see. We have a common authorization and authentication layer which is also another project within the within open stack that and it has. I standard interaction so all the all of the different open stack API's have the same authorization middleware. I open stack is a API layer it isn't it generally doesn't implement a full. Data plan so for example with the compute project you can choose Zen or KVM or even Docker or hyper V. And the same goes for things like networking where you can choose the different network providers so you can use Cisco or whatever. It's also everything should be highly available from the beginning. Everything should be have the ability to work active active and scale out to to allow for increased usage on HA. So for designate this means. We have a pretty pluggable architecture DNS is something that's generally quite custom in a lot of people's deployments. So we allow users to extend what the core functionality is with fairly simple Python extension points. So you can add additional API endpoints for example when we had this deployed in HP cloud we had to add it in load of billing endpoints. So the internal billing tools can collect usage and the number of records and zones created per user. We support a lot of different DNS servers and we allow you to modify what notifications are emitted. So with an open stack there's a standard scheme for emitting notifications on when things are created updated deleted. Or when things exist but we allow you to write your own Python packages to emit what notifications you need. We support anything that has a SQL alchemy backend. Pretty much there's some problems with Postgres right now but in general if your database is supported by SQL alchemy we can use that as a database store. We allow you to plug into different quarter management. So there's a reference one built into into designate but you can use the there's about two or three others available within open stack at the moment. And then for policy there again there's a reference policy implementation but you can extend that to be whatever you want. So there's another with some people experimenting with things like open policy agent and some of the other remote policy controls. So the two main servers we really support are parity and S and bind. Every single commit gets tested against those two. We do support info blocks that's tested semi regularly. And we also support designate as a designate server. So for example let's use where some people have an internal installer designate but they're also using a cloud provider that runs. We support some of the DNS services mainly Akamai and Dinect. And there is experimental support for some things like the Microsoft DNS server and NSD and not. There's a full list at this slide here at that address. At its core designate covers everything in designate is scalable outwards. There's no active passive it's all active active. It all it all centers around using pretty pretty much all of these interactions are done over a messaging queue generally Robert MQ. And as you can so you can scale up this was designed to run at racks based scale which was a couple of million zones. And I run my personal one on a R and box and scale way and it runs fine. Basically what happens this is a it's an eventually consistent API. So the API will always represent the desired state but we use the DNS protocol itself to send a zone transfers to update the DNS servers. Generally when you create or update a record is done by the API. We have our business logic is done in the designate central section. And then it will push out the notification to the set of workers that this zone has been updated. You need to notify the DNF the far side of the DNS servers that something's changed. And then we wrote a very small DNS server in Python that can read directly read our database directly and that's used for sending zone transfers. We also have a producer which is used for recurring tasks so for making sure that notifies haven't been lost or the zones are at a date. So we send the periodic tasks to go check everything all the serials are what we expect and the zone contents are what we expect. And because and because we support so many different DNS servers the back ends are just pluggable pieces of Python that plug into the worker. So it knows when it gets a zone create event for parodyness it just sends a HTTP request to the parodyness API. Whereas with bind it'll use a R and D C call or for Akamai it's a different type of API call. We also support multiple pools of DNS servers so you may have an internal R and D set of servers that are running just in your data center. And then more important central company servers that are run across your network and then your external DNS is say in Akamai or Dinect. Because of this because the pluggable system we reuse the same infrastructure so when you're creating the zone you can just create scheduling hints when you're sending the request to help it choose the right zone for the right set of servers for your DNS zone. And it already uses the same infrastructure so you don't have to run separate copies of the mini DNS server or the producer or workers per pool. It's just one modulus use. The API is a the main interaction point for both end users and other DNS component other open stack components. So we have quite a tight integration with the open site networking service. Which allows people to set reverse DNS entries for public IP addresses supported by the open site networking and for users to create DNS names automatically. So you can tag a new open stack neutron network with a DNS domain and then when you create any any any new port on that network and you provide a DNS name. It'll auto generate the A or quad A records and the pointer records for that IP address. So we're pretty well integrated into the overall open stack ecosystem. We have a dashboard plugin. We can be you can use the open stack CLI the standard open stack CLI to do all the interactions with designate. We don't have separate clients. If you use heat which a lot of the a lot of the telecommunications companies have sort of standardized on for deploying apps. We have resources available in heat to create and manage DNS zones and records. And as I said the networking service has the integration to set up for reverse DNS for ports as they're created. We also have a separate plug in point which is called designate sync. So this is for sometimes systems don't necessarily have the logic to call out to designate whenever something happens. So this can listen to us a Q. A M Q P Q and as messages come in act on them. So we have we have a reference implementation that will just create DNS names for neutron ports. But it's a really powerful extension point. So for example there's a ISP in the U.S. That every time they created a new tenant which is a project like a sponic control section in doesn't open stack. It would pre create DNS zones and pre fill the required information into us. There's others who update their records via it for low balancing or for H.A. They just spin a message onto the queue and DNS sync will pick it up and act on it. So just as an example. If you want to use opens up use designate to host create a zone. There's a lot of. Installer so if a if a provider for like an ISP or your internal cloud is shipping an installer bundle as a heat template. They can pre provision all the required DNS entries. And then. Because this can read values from other resources. If you had an open stock server resource. You could start creating the records as needed. From the outputs of that. Externally. We're pretty well integrated in Ansible. Again it's the same as as he we have a pretty good chair from support. And then within Kubernetes the external DNS project. I will supports designate natively as well. There is a sir bot implementation plugin. It works works reasonably well. I wrote it and use it so if there's any problems check. Again I needed to use that's encrypt so it was the easiest thing to do. We have pretty good SDK support so there's. Python. Java and go SDK support so if you decide you need to. Reimplement your own. Logic it's all there. It's a pretty easy system to. Program against it's a very simple API of some examples later on you can see. And if we don't have a SDK for your language. Chef I'd be more than willing to help people. So again this is just an example of an ensemble integration. It's a it's a top level supported part of the ensemble cloud extensions. I'm the same for Terraform. It's a little small but. Again the open stock provider for Terraform has the DNS resources you need. So the standard CLI is pretty simple it's. I. Support it's verb based so. In this case open stock. Zone list just list all your list all the zones you have. And this is choosing Vexos because this is one of the places I had domains. I'm creating. I don't know. It's just open stock zone create followed by the required information. If you were using multiple pools. You could provide the scheduling hints here as well. And if you wanted to create a secondary zone. Where we would pull information off a of your own DNS server. It'll be added here as well. So. This is probably more useful if you look at the slides later but. The API is fairly self explanatory. Whatever your endpoint is slash zones list all your zones for example. I'm and we. Tried to be. As rusty as possible so there is links to pretty much everything. In each of the objects. Which makes it easier for programming against us. I'm and then. Everything is nested so you have your zone. It's ID followed by record sets with list all its record sets or. Record set slash the record set ID will show the precise record. You're interested in. It's just the example of the UI we have it's fairly simple. I'm. Shows you list allows you to. See what the status is. So as I said before it's a. A synchronous API so if it. Knows it hasn't put in the customer facing DNS servers. Have been updated correctly. It'll show up. Here on the status is for example pending or if there's a problems there. So. We allow you to set the pointer records. In the UI as well you don't have to use the CLI or rely on the order generated. Records. And then as you're creating the. Floating IP's you can also set reverse DNS. So in short. Why should you use. Designate. It's a real it's a real. Advantage if you're running a cloud. With the support for allowing. All of you users to manage the reverse DNS without having to. Give them access to the full zone. It's a. It makes it much easier. It's. Having a multi-tenant DNS API. It's because it's rather small and lightweight. And the authorization service keystone is also quite small and lightweight. If you just need. DNS in a multi-tenant way. It's very easy to run. And allows you to. See allows you to service provide a service to all your users. I'm. As I said I run it I run just the. Keystone which is the authorization service and designate. On a small arm box. And the I haven't had issues just been running for a couple of years at this point. I'm because we support so many DNS servers. And. We allow you to. To manage those servers directly. It means you can reuse existing DNS infrastructure. And. I know a lot of people who have pre-existing sets of servers around the companies. And the thought of trying to recreate everything for scratch. Can be quite daunting. So in the past it has allowed people to take their existing infrastructure. And allow designate to manage some of it. So this is the set of lists. Of links. The slides are there as well. I'm. Designate the docs that have everything from the install guides. For. Ubuntu. CentOS. And Susan Linux. The code is all here for the main service. We are in free node. Opposite DNS. I'm mugsy in that channel. I'm generally around European times. I honor. More than willing to help anyone who has issues. We use the standard open stack. Many lists. And yet the slides. So with that. Is there any questions? No. So the question is, does it work with color ansible? Yes, it does. There's a. It's not quite point of click. There is a couple of extra steps you have to do. But I've actually helped a few people install using color ansible. And once once we get it up and running, it was great. Any other questions? Go ahead. For the open stack cloud providers, a lot of them use designate. I'm. Azure doesn't. Obviously we had our own infrastructure long before I joined. Azure. I'm. Within all of the cloud providers have their own DNS service. That's kind of homegrown over the years. I'm. Most of the the open site distribution support designate. I'm. And a lot of the public cloud providers have it. So the likes of Vexos or our city network. Will all have. Designate support. We've 10 minutes left in this slot. Any other questions? Anything open stack Graham is willing. So the question is, does it we can automatically create. A records based off of an instance or a port being created in Nova Neutron. Does it create PTO records? By default, if you specify the DNS name. And DNS domain. Yes, it'll create the PTO record automatically. You can provision. The floating IP. And provide a PTO record later as well though, if you want. It doesn't have to be automatically provisioned. The question is, do we support DNS sec right now? No, it's been a bug bearer of mine for a long time. I'm allergic to writing crypto code. So. So. There's been a debate about how to do it. If people have ideas about how we can do it. Without re-implement re-implementing everything. And managing and keeping keys and our own database. I'd be delighted to talk, but it's. It's not super high and it's a lot of work for. Not necessarily huge amount of payoff. We have some power DNS and bind developers in the room if you need any. Have you found that supporting multiple name servers makes makes the coding harder. Yes. Yeah, so a lot of the. For binding. It's not that hard because. They're both a fairly established API is for creating. And managing zones. It got a little harder with some of the things like not that required local commands to be run on the DNS server. I'm. I'm parodying us before the API had. In all honesty, it was awful code we wrote to manage the. Creation deletion zones, but since the API came in. It's a it's a rest call. It's good to hear. Yes. Yeah, so. For one of the pools of my personal. What's your watch? Can you run it all in one box? Yes. So for one of the pools on my personal setup, there's. The entire open stack and the DNS server on one box. And it also has other pools that are remotely managed. So yeah, but you can run everything on one and there's no issue. Is it useful to run all of open stack on one box? I don't run all of open stack. I run keystone and designate for my personal install. In general, no, it's not useful to an open stack on one box for testing. Yeah, for testing and development, it's great. You're not going to get a lot of value if you install of all of open stack on one box and expect it to manage and host VMs in a relatively stable manner. Pearl SDKs. Pearl SDKs. Are you going to do Pearl SDKs? If somebody who can write Pearl is interested, I honestly can't write Pearl. Can you write Pearl? Okay, you have a volunteer. Great. Any other questions for Graham? Thank you, Graham. Thank you. You can take a bottle.