search

StackExchange / dnscontrol

Infrastructure as code for DNS!
https://dnscontrol.org/
MIT License
3.14k stars 400 forks source link

ROUTE53 Add Alias Support for S3 buckets #1539

Open jzhang-sre opened 2 years ago

jzhang-sre commented 2 years ago

It would be nice if dnscontrol supported Route 53's alias feature that allows A records to point to S3 buckets. This allows you to create redirects even for apex domains.

More details here: https://aws.amazon.com/premiumsupport/knowledge-center/redirect-domain-route-53/

image

tlimoncelli commented 2 years ago

CC @tresni

tresni commented 2 years ago

I would expect this to work using an ALIAS record in dnscontrol but we might need some additional metadata. I’ll double check when I get home tonight

tlimoncelli commented 2 years ago

It would be great if dnscontrol could update the S3 bucket too. That way there's a complete all-in-one solution for redirect domains. That is, the user could list something like this in dnsconfig.js:

R53_REDIRECT("www", "https://newplace.example.com")
tresni commented 2 years ago

@jzhang-sre R53 alias records are already supported using the R53_ALIAS function. It specifically supports mapping to S3 buckets and other AWS specific endpoints. I'm not sure why this was implemented differently from just the standard ALIAS function though, maybe @tlimoncelli can speak to this. (If I were submitting a new R53 provider, I would personally have implemented this as an ALIAS record that simply threw an error if the target was invalid from an AWS standpoint. Might look at doing a PR to implement this.)

@tlimoncelli Redirects like that would require either S3 + Cloudfront or an ALB, it's possible to do, but it goes well above DNS functionality IMO and would generally be better handled by terraform or cloudformation. Just my 2c ;-)

tlimoncelli commented 2 years ago

Yes, they are similar. ALIAS and R53_ALIAS provide different features. Alias should be generic. (provider)_ALIAS should implement all the cool features (provider) can support.

Some providers an "ALIAS" is like a CNAME... for others it is an HTTP 301/302 redirect.

Ideally we'd have GENERIC_REDIRECT() and (provider)_REDIRECT() for each provider that supports it. The generic one would just do the most simple redirects, no regular expressions, substitutions, etc.

Yes, this isn't a DNS function and I could justify using terraform instead. However, it is a common feature of DNS providers and I know that Stack Overflow would appreciate a dnscontrol-managed redirect.

tresni commented 2 years ago

This ended up way longer then I intended, sorry about that.

I'm not sure that ALIAS, R53_ALIAS, AKAMAICDN are actually providing different features. AWS's use of aliases is similar to Cloudflare's CNAME flattening, just with restrictions of same zone or certain AWS domains (amazonaws.com and cloudfront.net from what I can tell.) Using ALIAS would also make zones more portable, as you would likely want the CNAME flattening functionality of Cloudflare if you were moving between them. Even AKAMAICDN is effectively what we are calling an ALIAS record (it points some record at some target and uses the target's records as its records. I disagree with https://groups.google.com/g/dnscontrol-discuss/c/uHr-2kR1StM/m/ZxHSiCmUAgAJ , I think it does meet the definition of effectively a CNAME at the apex, just with additional restrictions on target validity.)

D("example.com", REG_AWS, DnsProvider(DNS_AWS),
  A("@", "198.51.100.1"),
  A("target", "198.51.100.2"),
  ALIAS("foo", "some-bucket.s3-website-us-east-1.amazonaws.com."), // No need for R53_ALIAS
  ALIAS("bar", "target")
)

D("example.org", REG_AKAMAI, DnsProvider(DNS_AKAMAI),
  A("@", "198.51.100.1"),
  A("target", "198.51.100.2"),
  ALIAS("foo", "some.valid.target.i.dont.use.akamai.cdn."), // No need for AKAMAICDN specific record type
)

AZURE_ALIAS is the only one that feels a little weird to me as it's target is not a valid hostname. That may not be an issue, I could see it lookng something like.

D("example.com", REGISTRAR, DnsProvider("AZURE_DNS"),
  ALIAS("foo", "/subscriptions/726f8cd6-6459-4db4-8e6d-2cd2716904e2/resourceGroups/test/providers/Microsoft.Network/trafficManagerProfiles/testpp2", AZURE_A_ALIAS()), // record for traffic manager
  ALIAS("bar", "/subscriptions/726f8cd6-6459-4db4-8e6d-2cd2716904e2/resourceGroups/test/providers/Microsoft.Network/dnszones/example.com/A/quux.", AZURE_CNAME_ALIAS()), // record in the same zone
);

I've got similar feelings about REDIRECT (side question, is this what URL and URL301 are for?) I've got another, about as long, idea written up, but don't want to get too far off track from ALIAS ;-)