Follow james_raftery on Twitter

route53d

Amazon Route 53 DNS frontend

[ README | Download source | Less info. ]
MD5 (route53d-0.01-alpha.tgz) = 490a7229b1e5044a7bfad6f97a440d30 Released 15th December 2010
Copyright (c) 2010 James Raftery. All rights reserved.

Introduction

route53d is a DNS frontend to the Amazon Route 53 API. It allows you to use standard DNS tools to make changes to your Route 53 zones. At the moment it supports adding and deleting resource records by dynamic update (e.g with nsupdate).

Support for slaving from your master DNS server by incremental zone transfer (IXFR) and pushing zones changes to the API is nearly complete. It is available in the Google Code repository.

Download route53d-0.01-alpha.tgz. This is an early release. Please let me know how you fare. Email james .at. now .dot. ie

Requirements

Installation

  1. Install Python, dnspython and Boto according to their documentation. This may help
  2. route53d uses Boto to call the Route 53 API. Configure Boto with your AWS access key
  3. Create a config file. Use route53d.ini.sample as the starting point
  4. Start the daemon: route53d.py [--config /path/to/route53d.ini]

Try it out

I have the daemon listening on localhost:5454 on my dev host. Feed nsupdate statements to create ten resource records:

% (echo "server 127.0.0.1 5454";
   echo "zone foo.com.";
   for i in `jot -c 10 a`; do 
   echo "update add $i.foo.com. 900 IN TXT foo-$i"; 
   done;
   echo send) | nsupdate
%

The logs from route53d say:

2010-12-15 22:33.22 GMT - 41805 - INFO - UPDATE from 127.0.0.1: foo.com. IN SOA
2010-12-15 22:33.24 GMT - 41805 - INFO - ChangeID: /change/C1752KTOAK42ZN Status: PENDING

And a few moments later the change is on the Route 53 DNS servers:

% for i in `jot -c 10 a`; do dig @ns-1649.awsdns-14.co.uk. $i.foo.com. txt +short; done  
"foo-a"
"foo-b"
"foo-c"
"foo-d"
"foo-e"
"foo-f"
"foo-g"
"foo-h"
"foo-i"
"foo-j"
%

Help!

Email me: james .at. now .dot. ie
Bug reports (with debug logs please!) and patches are very welcome!

Future work

Started

IXFR
React to a NOTIFY message, use IXFR to fetch incremental changes from an upstream DNS server, push each zone increment as one API call.
Status: 80% complete.
Answer SOA queries for IXFR slave zones
Respond with the current SOA for a zone that is slaved via IXFR to allow DNS based monitoring of API update progress.
Status: 40% complete.

Not yet started

Remove the deletion TTL kludge
Need to be able to populate record TTLs in API delete calls. Query from DNS? Very non-atomic ...
Use the ListHostedZones API
Call the API at startup instead of configuring each HostedZone ID in the config file. For the moment I want the script to only mess with zones that have been specifically marked as safe to play with
AXFR
An upstream server responding to IXFR can require the client to fallback to AXFR
Authentication
Authenticate dynamic updates, notifies and IXFR/AXFR by TSIG. Maybe support authorization by IP address
Pending change polling
Maintain a queue of pending changes and poll the API asynchronously to log when a change is complete
Review the process model
It's a bit clunky. When the script internals settle down should see if there's a more appropriate way to split up the work
Cleanly handle API limits
Code for the maximum number of changes per call (1000) and maximum amount of record data (32000B) per call

Caveats

At the moment there is no authentication. Be sure that route53d isn't reachable from untrusted sources.

The DNS dynamic update mechanism allows deletion of 1) a specific resource-record, 2) a resource-record set, or 3) deletion of all records belonging to a name. The Route 53 API implements only specific resource-record deletion so route53d will reject requests for the other deletion types.

Licence

route53d is free software. It is released under a 3-clause BSD licence. The licence text is in the script.

$Id: index.html,v 1.4 2010/12/16 02:32:19 lecter Exp lecter $