Config option to prevent zeronsd from changing Central's DNS settings #205
Comments
|
Thanks for writing that up. I think it makes sense. You want your clients to use 192.168.1.2 for sub.company.tld. They can get to this server via a zerotier "router". 192.168.1.2 will ask zeronsd regarding any zt.sub.company.tld names. zeronsd clobbers the search-domain and servers on central. I guess another alternative would be having flags to specify those values, if they are different than the default.
can't think of good flag names at the moment. a any thoughts, @someara I'm not sure if we're able to cut a release soon. Would you be ok building from source for a bit? edit: a --no-configure option would let zeronsd run with an api token that doesn't have write access. it would only need read access. |
All correct!
IMO I don't see why zeronsd should bother with adding this sort of feature. These values tend to be set once and never changed, so doing that in Central vs zeronsd isn't a big deal – and if they are changed, a potential issue could be that you change the values in Central, but forget about the zeronsd config so a month later zeronsd gets restarted and changes them back to the old values. EDIT: Actually you'd likely need to change the domain configured in zeronsd as well, so maybe this issue would only happen if you're only changing IPs.
Realistically I'm not sure I'll be able to work on a PR any time soon, so I'll be sticking with my workaround for a bit anyway 🙂.
That would be a nice side effect for us! |
|
Not that I would actually bother with this, but would this no-configure-central option allow for running multiple zeronsd instances on the same network, e.g. for high availability of the delegated DNS zone? Is there anything else in zeronsd preventing that? |
For zerotier#205 Makes it not configure the dns servers and domain on the zerotier network in my.zerotier.com
For zerotier#205 Makes it not configure the dns servers and domain on the zerotier network in my.zerotier.com
|
give that a shot if you get a chance |
|
There's nothing preventing you, but honestly, it screams of a future UX issue, so I avoided it when I was working on the project. Hope that adds context.
…------- Original Message -------
On Thursday, March 23rd, 2023 at 4:02 PM, Travis LaDuke ***@***.***> wrote:
give that a shot if you get a chance
—
Reply to this email directly, [view it on GitHub](#205 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAAET243XXMZNBD5DZX5OE3W5TI7LANCNFSM6AAAAAAU6TV4XQ).
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
|
Would love to hear your thoughts. The default is still "yes" |
|
well if someone enables it, but the domain doesn't match what the daemon thinks the domain should be in the API, you're probably gonna have issues.
In the non-domain case, it should pull the settings from the API, otherwise DNS responses aren't going to match because after the API call, zeronsd doesn't really do much synchonously with the API to confirm that the TLD in use is the TLD that's expected.
…------- Original Message -------
On Thursday, March 23rd, 2023 at 4:07 PM, Travis LaDuke ***@***.***> wrote:
Would love to hear about it
—
Reply to this email directly, [view it on GitHub](#205 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAAET27B4OUBDG6KWGCWSYTW5TJU7ANCNFSM6AAAAAAU6TV4XQ).
You are receiving this because you commented.Message ID: ***@***.***>
|
Do you mean that when |
Feature request
In our environment, we'd like ZT Central to be configured with a different search domain and DNS server address than zeronsd. Currently, zeronsd changes Central's config to match its own at startup. Could a config option be added to zeronsd to prevent this behaviour? Something like
--no-auto-config-centralor--auto-config-central=false.I've never used Rust before, but I'd be willing to attempt a PR if this feature's accepted. Looks like it would just require adding a flag/config option, and a condition around this call?
Our use case / environment
Our environment is as follows:
192.168.1.0/24,192.168.2.0/24).192.168.3.0/24).192.168.4.0/24).net.ipv4.ip_forward=1(per these docs) on a separate network192.168.111.0/24in an office, joined to ZeroTier. ZeroNS is installed on this VM. IPs are192.168.4.1and192.168.111.2.192.168.1.2,192.168.2.2).sub.company.tld(e.g.client1would beclient1.sub.company.tld).zt.sub.company.tld(e.g.client1– if it's on ZeroTier – would also exist atclient1.zt.sub.company.tld).zt.sub.company.tldzone to ZeroNS (using the IP192.168.4.1, since ZeroNS doesn't listen on the VM's non-ZeroTier address).In ZT Central, we want to use
sub.company.tldand192.168.1.2(main DNS server).The problem is that ZeroNS changes Central's config to
zt.sub.company.tldand192.168.4.1. So if I'm onclient1on ZeroTier and want toping server1, it will try to pingserver1.zt.sub.company.tld, butserver1isn't on ZeroTier so this won't work.Of course, if we want to ping a zerotier client we'll need to use its FQDN of
client1.zt.sub.company.tld. Slightly inconvenient, but an acceptable tradeoff; we may decide to addzt.sub.company.tldto our search domain list in the future, but currently it looks like Central only supports setting a single search domain, so we'd be back to things behaving differently on ZT clients unless Central adds support for multiple domains.Current workaround
For anyone interested, my current workaround is to change Central's config when the ZeroNS VM reboots. Just a crontab entry of
@reboot /path/to/fix-zt-central-dns.sh, withfix-zt-central-dns.shas follows:(This could be improved by running whenever zeronsd (re-)starts instead of at reboot, this was simpler and good enough for now.)
Alternative feature designs
In our case, an all-or-nothing flag would be ideal. Though maybe some users would find value in being able to control whether ZeroNS updates the domain, servers, both, or none; for example, the flag might look like
--auto-config-central=domain. Personally I think this would be unnecessary complexity, since the values for domain and servers are unlikely to change often, and are easy enough to change manually when they do.The text was updated successfully, but these errors were encountered: