f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
Enable additional DNS Cache functiopnality
There is no ability to create DNS Resolver and DNS validating Resolver cache types
I would like the AS3 team to build this functionality. This is especially important as there is no ability to create any Cache's natively on BIG-IQ so naturally that team is suggesting to use AS3 on BIG-IQ. I would rather use f5 built and supported functions.
Alternative methods are: tmsh commands to create these - not very automatable, use ansible, but then I can't use BIG-IQ to deploy automation workloads.
Since AS3 doesnt have this ability there is no way to use an AS3 declaration in BIG-IQ which is very limiting.
Can I also add a vote for this enhancement. AS3 only allows cache type "transparent".
Could either of you provide example tmsh configurations of the configuration you are looking for?
Could either of you provide example tmsh configurations of the configuration you are looking for?
Yes here are examples for the three types of resolvers you can create via tmsh:
1. create ltm dns cache validating-resolver tmsh-validating-resolver answer-default-zones yes Options are: allowed-query-time forward-zones max-concurrent-tcp randomize-query-name-case rrset-rotate use-tcp. answer-default-zones ignore-cd max-concurrent-udp response-policy-zones trust-anchors use-udp. app-service key-cache-size msg-cache-size root-hints unwanted-query-reply-threshold description local-zones nameserver-cache-count route-domain use-ipv4. dlv-anchors max-concurrent-queries prefetch-key rrset-cache-size use-ipv6
2. create ltm dns cache resolver tmsh-cache-resolver answer-default-zones yes Options are: allowed-query-time local-zones nameserver-cache-count root-hints use-ipv4 answer-default-zones max-concurrent-queries nameserver-min-rtt route-domain use-ipv6 app-service max-concurrent-tcp nameserver-ttl rrset-cache-size use-tcp description max-concurrent-udp randomize-query-name-case rrset-rotate use-udp forward-zones msg-cache-size response-policy-zones unwanted-query-reply-threshold
3. create ltm dns cache transparent tmsh-transparent-cache answer-default-zones yes Options are: answer-default-zones description msg-cache-size rrset-cache-size { app-service local-zones response-policy-zones rrset-rotate
Please see the tmsh manual here - https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/ltm/ltm_dns_cache_resolver.html
@yxeGithub Thank you for this additional information. It is very helpful for making sure we are all talking about the same things.
I have added this request to our internal product backlog as AUTOTOOL-3342.
Hi - sorry about the late reply from me. The main reason I was supporting this is because with a transparent cache you cannot have multiple forwarders (to my knowledge). I can get around the lack of a resolver cache in AS3 by using the transparent cache which I then point to a pool, and in the pool I can define an IP address for forwarding traffic onwards to a remote resolving DNS, whilst still having a local zone defined. However, because I only have one pool option, I can only have one (unconditional) forwarder for all DNS queries.
With a resolver cache, I can have multiple conditional forwarders (forward-zones) for specific domain queries, I can also have an unconditional forwarder defined for all other queries (forward-zone with '.' defined as domain), and then still have the ability to define a local zone on the F5 as well (local-zones).
Example:
ltm dns cache resolver /mypartition/dnscache-azure-myenv {
forward-zones {
. {
nameservers {
8.8.8.8:53 { } <<< THIS IS AN UNCONDITIONAL FORWARDER TO A PUBLIC DNS SERVER
}
}
myo365domain.onmicrosoft.com. {
nameservers {
192.168.1.0:53 { } <<< THIS IS A CONDITIONAL FORWARDER FOR ANOTHER INTERNAL DNS SERVER
192.168.1.1:53 { }
}
}
internal.mydomain2.com. {
nameservers {
192.168.10.0:53 { } <<< THIS IS A CONDITIONAL FORWARDER FOR ANOTHER INTERNAL DNS SERVER
192.168.11.1:53 { }
}
}
}
local-zones {
{
name in-addr.arpa.
records { "192.168.1.0.in-addr.arpa. 3600 IN PTR ns1.mydomain.internal." "166.0.16.172.in-addr.arpa. 3600 IN PTR ns2.mydomain.internal." "196.0.16.172.in-addr.arpa. 3600 IN PTR ns3.mydomain.internal." "198.0.16.172.in-addr.arpa. 3600 IN PTR ns4.mydomain.internal." }
}
{
name mydomain.internal.
records { "ns1.mydomain.internal. 3600 A 192.168.1.164" "mydomain.internal. 3600 NS ns1.mydomain.internal." "mylocalmachine1.mydomain.internal 3600 A 192.168.1.11" "mylocalmachine2.mydomain.internal 3600 A 192.168.1.12" }
type deny
}
}
route-domain /Common/0
use-ipv6 no
use-tcp no
}
@antonywm please can you contact AS3 PM at [email protected] so i can capture the missing or broken stuff in AS3
will do. The broken stuff is all covered by issues opened in this repo - currently waiting fixes for everything.
Hi, AUTOTOOL-3684 has been created for the same and added to our internal backlog.
@antonywm @f5-alex-zaets we are almost done with this task. The only thing left is to investigate if we can use DNS_Zone from /Common(or switch to use in schema reference). If so, this task is mostly done and would be delivered in AS3 44. You ok to use a pointer to DNS_Zone from /Common?
Hi @mdditt2000 not 100% sure of the question do you mean the cache has to be in /Common? If so that isn’t an issue for me as although my example showed it in a partition, in reality I’d config it into Common
@antonywm thank you. Updating the Jira and requesting @f5-alex-zaets to commit the changes
Hi @mdditt2000 did this miss release 44? Just tested but it is not in the release:
"errors": [
"/TEST-CACHE/TESTAPP/Test-cache/type: should be equal to one of the allowed values [\"transparent\"]"