Describe posiible ways to workaround Private Hosted zones issues
Opened this issue · 4 comments
At lest Rote53 have lack of support of NS record types for Private Hosted Zones. We need to cover such cases and document ways around such issues.
Adding a few supporting facts as food for thought:
You cannot create NS records in a private hosted zone to delegate responsibility for a subdomain.
You can't create zone delegations (NS records) in a private DNS zone. If you intend to use a child domain, you can directly create the domain as a private DNS zone. Then you can link it to the virtual network without setting up a nameserver delegation from the parent zone.
GCP:
Note: Managed private zones do not support custom resource record sets of type NS.
I assume that "Private Hosted zones issues" is mostly the inability to create NS records + glue A records (aka zone delegation) in private VPC environments, well for aws we are somehow able to create them, but then they do not work.
Can't we put the public hosted zone@Route53 as a requirement for k8gb also for the VPC use-case? They have that hybrid thing called ClassicLink:
"By default, if you use a public DNS hostname to address an instance in a VPC from a linked EC2-Classic instance, the hostname resolves to the instance's public IP address. The same occurs if you use a public DNS hostname to address a linked EC2-Classic instance from an instance in the VPC. If you want the public DNS hostname to resolve to the private IP address, you can enable ClassicLink DNS support for the VPC. For more information, see Enable ClassicLink DNS support."
--https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-classiclink.html#classiclink-enable-dns-support
So that if company wants to have their stuff to be private in VPC but at the same time use k8gb for failover for instance, they need to have at least one public hosted zone that will set up the host delegation test.k8gb.io -> ${foobar_cloud_id}.test.k8gb.io where there we have a way to update the records in the coredns.
If the initiator of the DNS call lives in the VPC, this is ok, because all the resolved IPs should reachable, but if it's the client from "public internets", then one of the dns servers will be private and this mechanism will fail, but it's kinda expected because they don't have the access to vpc.
@jkremser not sure we can raise that as a requirement, but rather as a recommendation, it is up to users to decide about their infra.
There might be security reasons behind the decision to use a private hosted zone only, so that company DNS resources are not publicly resolvable.