Current Series Release Notes¶

22.0.0-22¶

TLSA recordset type has been added. All users can now create and manage TLSA records via the API and the OpenStack client. This enables DANE-based certificate validation directly through Designate.

The worker can now optionally sign NOTIFY and SOA poll messages with a TSIG key. In split-horizon deployments where the DNS server routes queries based on TSIG keys, this ensures that NOTIFY and serial polling reach the correct view regardless of the worker’s source IP.

To enable, set tsigkey_id on pool nameservers and/or pool targets in pools.yaml, referencing a TSIG key created via the Designate API. When not set, the worker sends unsigned queries as before.

The zone import endpoint (POST /v2/zones/tasks/imports) now accepts application/json as a content type in addition to text/dns. When using JSON, the request body can include a zonefile field containing the zonefile content and an optional attributes field with zone attributes (e.g. pool_id). This allows imported zones to be scheduled to a specific pool, which was previously not possible. The existing text/dns behavior is unchanged.

Only standard TLSA parameters are supported (usage, selector, matching type, certificate data). Arbitrary extensions or non-standard formats are not currently supported.

A new tsigkey_id column has been added to the pool_nameservers table. Run designate-manage database upgrade to apply the migration. The column is nullable and defaults to NULL, so no action is required for existing deployments.

Python 3.10 support has been dropped. The minimum version of Python now supported is Python 3.11.

Fixed mDNS _handle_record_query to use TSIG-based pool scoping when looking up SOA and other record queries. Previously, when the same zone name existed in multiple pools (e.g. split-horizon DNS), the handler would find multiple matching recordsets and return REFUSED. The handler now resolves the zone first using the TSIG key’s pool_id, then looks up the recordset within that zone.

Fixed a bug that didn’t allow zones to be moved from non-default pools to default pools.

TLSA records follow RFC 6698. Clients and resolvers must support DANE to fully utilize these records. Ensure your DNS server software is updated to support TLSA queries and responses correctly.