Current Series Release Notes¶
22.0.0-30¶
New Features¶
TLSA recordset type has been added. All users can now create and manage TLSA records via the API and the OpenStack client. This enables DANE-based certificate validation directly through Designate.
The worker can now optionally sign NOTIFY and SOA poll messages with a TSIG key. In split-horizon deployments where the DNS server routes queries based on TSIG keys, this ensures that NOTIFY and serial polling reach the correct view regardless of the worker’s source IP.
To enable, set
tsigkey_idon pool nameservers and/or pool targets inpools.yaml, referencing a TSIG key created via the Designate API. When not set, the worker sends unsigned queries as before.
The zone import endpoint (
POST /v2/zones/tasks/imports) now acceptsapplication/jsonas a content type in addition totext/dns. When using JSON, the request body can include azonefilefield containing the zonefile content and an optionalattributesfield with zone attributes (e.g.pool_id). This allows imported zones to be scheduled to a specific pool, which was previously not possible. The existingtext/dnsbehavior is unchanged.
Known Issues¶
Only standard TLSA parameters are supported (usage, selector, matching type, certificate data). Arbitrary extensions or non-standard formats are not currently supported.
Upgrade Notes¶
A new
tsigkey_idcolumn has been added to thepool_nameserverstable. Rundesignate-manage database upgradeto apply the migration. The column is nullable and defaults to NULL, so no action is required for existing deployments.
A database migration adds STOPPED to the service_statuses enum.
Python 3.10 support has been dropped. The minimum version of Python now supported is Python 3.11.
Bug Fixes¶
Zone export now validates the api_export_size quota synchronously before accepting the async export job. Previously, users would receive a 202 Accepted response, then discover the quota violation only after polling the export status, which showed an ERROR state. With this fix, users receive an immediate 413 Request Entity Too Large error when attempting to export a zone that exceeds the quota limit.
This provides better user experience by giving immediate feedback and prevents wasted resources on doomed async jobs. The implementation uses the same quota validation pattern already employed by zone and recordset creation operations.
See bug 1960495 for more information.
Services now report a STOPPED status on shutdown, fixing duplicate service_status entries when a service restarts on a different host (bug 1998906).
Added two periodic producer tasks: one to mark services as DOWN when their heartbeat exceeds a configurable threshold, and another to clean up STOPPED service entries. These tasks are auto-enabled by default when
enabled_tasksis not explicitly configured. To exclude them, setenabled_tasksin the[producer]section of your configuration.
The periodic cleanup producer task now also deletes stale DOWN service entries whose last heartbeat exceeds a configurable
time_threshold(default 7 days). This prevents indefinite accumulation of DOWN entries, particularly in container deployments with randomized hostnames. Settime_thresholdto 0 in the[producer_task:periodic_cleanup_stopped_service_status]section to disable cleanup of DOWN entries.
Fixed the
backend-multipool-bind9devstack plugin to work with bind91:9.20.5-1and later (Ubuntu 26.04+), where legacy configuration files (zones.rfc1918,named.conf.default-zones, anddb.*) were removed in favor of BIND’s nativeempty-zones-enabledirective. The plugin now guards these file copies with existence checks and also copies the newnamed.conf.root-hintsfile introduced as a replacement. See bug 2158627 for more information.
Fixed mDNS
_handle_record_queryto use TSIG-based pool scoping when looking up SOA and other record queries. Previously, when the same zone name existed in multiple pools (e.g. split-horizon DNS), the handler would find multiple matching recordsets and return REFUSED. The handler now resolves the zone first using the TSIG key’s pool_id, then looks up the recordset within that zone.
Fixed the
backend-pdns4devstack plugin to work with PowerDNS Authoritative Server 5.0+ (Ubuntu 26.04+), where themasterandslaveconfiguration settings were removed (deprecated since 4.5.0, removed in 4.9.0). The generatedpdns.confnow uses the replacementprimaryandsecondarysettings.
[bug 1934120] Fixed an issue where TSIG keys could be created with mismatched scope and resource_id values. Previously, it was possible to create a TSIG key with
scope='ZONE'but provide a pool UUID inresource_id, or vice versa. This could cause operational issues where TSIG authentication would fail with confusing “Zone not found” errors.TSIG key creation and updates now validate that the
resource_idmatches the specifiedscopetype. Ifscope='ZONE', theresource_idmust be a valid zone UUID. Ifscope='POOL', theresource_idmust be a valid pool UUID. Invalid combinations are rejected with a clear error message at creation/update time.
Fixed a bug that didn’t allow zones to be moved from non-default pools to default pools.
Other Notes¶
TLSA records follow RFC 6698. Clients and resolvers must support DANE to fully utilize these records. Ensure your DNS server software is updated to support TLSA queries and responses correctly.