Skip to main content

Overview

Xloud DNS as a Service (DNSaaS) uses Designate to manage DNS zones and records on behalf of tenants. By default, Designate operates with an internal backend. For enterprise environments, Designate can forward zone data to external authoritative DNS providers — enabling existing DNS infrastructure to remain the authoritative source while the platform handles automated record creation and lifecycle management. When a virtual machine is provisioned, Designate automatically creates A, PTR, and CNAME records in the tenant’s assigned zone. If an external DNS backend is configured, those records are propagated to the external provider without any manual intervention.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.
Prerequisites
  • Administrator credentials with the admin role
  • Network connectivity from the Designate control plane nodes to the external DNS server management interface
  • Credentials or TSIG keys for the external DNS provider

Supported DNS Backends

BackendIntegration TypeProtocolNotes
BIND9Dynamic DNS updatesDNS over UDP/TCP (RFC 2136)Requires TSIG key or RNDC configuration
PowerDNSREST API (pdns API)HTTPSPowerDNS Authoritative Server 4.x+ required
InfobloxWAPI REST APIHTTPSFull DNS, DHCP, and IPAM record support
Akamai Edge DNSREST APIHTTPSUses Akamai Fast DNS v2 API
Microsoft DNSPowerShell connectorWinRMRequires WinRM access to DNS server
Designate internalMulti-tenant SQL backendInternalDefault — no external DNS required
Knot DNSDynamic DNS (RFC 2136)DNS over UDP/TCPCompatible with BIND9 integration method

Architecture

Designate’s backend model separates the API and pool management layer from the DNS protocol layer. Each backend driver handles zone synchronization between Designate’s internal state and the external authoritative server. Tenants interact only with Designate APIs — the backend synchronization is transparent. 
Tenant → Designate API → Pool Manager → Backend Driver → External DNS Server

                                    (zone create / record sync)
A pool groups one or more DNS backend targets with shared configuration. Each pool can contain multiple nameservers, and tenants can be assigned to specific pools based on project or zone type.

Backend Configuration

All backend configuration is in designate.conf. In XAVS deployments, this file is managed by Ansible — use XDeploy globals to set parameters and run xavs-ansible deploy --tags designate to apply changes.
BIND9 integration uses the standard DNS dynamic update protocol (RFC 2136). A TSIG key authenticates updates from Designate to BIND.On the BIND server — generate a TSIG key:
Generate TSIG key on the BIND server
tsig-keygen -a HMAC-SHA256 designate-key
Add the output to /etc/bind/named.conf.keys and configure the zone to accept updates:
/etc/bind/named.conf — allow dynamic updates
zone "example.com" {
    type master;
    file "/var/cache/bind/example.com.db";
    allow-update { key designate-key; };
};
Designate configuration:
designate.conf — BIND9 backend
[backend:bind9]
host = 10.0.10.5
port = 53
tsig_key_name = designate-key
tsig_key_secret = <base64-encoded-key>
tsig_key_algorithm = HMAC-SHA256

[pool:default]
backends = bind9
nameservers = ns1.example.com
also_notifies = 10.0.10.5:53
PowerDNS integration uses the PowerDNS Authoritative REST API. The API key must be configured on the PowerDNS server.PowerDNS server — enable the API in pdns.conf:
pdns.conf — enable REST API
api=yes
api-key=<your-api-key>
webserver=yes
webserver-address=0.0.0.0
webserver-port=8081
Designate configuration:
designate.conf — PowerDNS backend
[backend:pdns4]
host = 10.0.10.6
port = 8081
api_endpoint = http://10.0.10.6:8081
api_token = <your-api-key>

[pool:default]
backends = pdns4
nameservers = ns1.example.com
Infoblox uses the Web API (WAPI) for DNS record management. Designate communicates with the Infoblox Grid Manager REST API to create and delete DNS records and zones.
designate.conf — Infoblox backend
[backend:infoblox]
wapi_url = https://10.0.10.7/wapi/v2.10
username = designate-svc
password = <password>
ns_group = Designate-NSGroup
multi_tenant = false
sslverify = true

[pool:default]
backends = infoblox
nameservers = infoblox-ns.example.com
The service account (designate-svc) must have DNS Admin rights on the Infoblox Grid. The ns_group must be pre-configured in Infoblox with the relevant nameservers.
Akamai Fast DNS is a cloud-based authoritative DNS service. Designate uses the Akamai Edge DNS v2 API for zone and record management.
designate.conf — Akamai backend
[backend:akamai]
host = akab-<contract>.luna.akamaiapis.net
client_token = <client-token>
client_secret = <client-secret>
access_token = <access-token>
base_url = https://akab-<contract>.luna.akamaiapis.net

[pool:default]
backends = akamai
nameservers = a1-1.akam.net
Akamai credentials are generated from the Akamai Control Center under Identity & Access Management → API Clients. The API client requires DNS—Zone Record Management permissions.

Zone Transfer to External Provider

When a zone is created in Designate, the backend driver provisions it on the configured external DNS server. Zone transfers can also be initiated manually for bulk migration of existing zones.

Create a zone

Navigate to Project → DNS → Zones and click Create Zone.Enter the zone name (e.g., example.com.), email, TTL, and select the pool if multiple pools are configured.

Verify propagation

After the zone reaches Active status, query the external DNS server to confirm the zone is visible:
Query external DNS server for zone
dig @10.0.10.5 SOA example.com.

Add records

Navigate to the zone and click Create Record Set. Records created here are automatically propagated to the external backend.

Pool Management

Pools allow routing different zones or tenants to different DNS backends. For example, internal zones can be handled by BIND9 while external zones use Akamai.
designate.conf — multiple pools
[pools]
names = internal-pool,external-pool

[pool:internal-pool]
backends = bind9
nameservers = ns1.internal.example.com,ns2.internal.example.com
also_notifies = 10.0.10.5:53

[pool:external-pool]
backends = akamai
nameservers = a1-1.akam.net,a2-1.akam.net
Create a zone in a specific pool
openstack zone create \
  --email admin@example.com \
  --attributes pool_id:<pool-uuid> \
  external.example.com.

Troubleshooting

Cause: Designate cannot reach the external backend, or authentication failed.Resolution:
  • Verify network connectivity from the Designate control node to the backend IP and port
  • Check Designate worker logs: docker logs designate_worker
  • Confirm credentials (API key, TSIG key, or password) are correct in designate.conf
Cause: The zone may be active in Designate but the backend sync failed.Resolution:
  • Force a zone sync: openstack zone sync <zone-name>
  • Check Designate producer and worker logs for backend errors
  • Verify the external DNS server has the zone configured to accept updates from the Designate source IP
Cause: The TSIG key in designate.conf does not match the key configured on the BIND9 server.Resolution:
  • Re-generate and re-sync the TSIG key on both BIND9 and Designate
  • Confirm the key algorithm (HMAC-SHA256) matches on both sides
  • Test manually: nsupdate -k /etc/bind/designate.key

Next Steps

Backend Configuration

Full reference for Designate backend driver options and pool configuration

Zone Transfers

Transfer zones between pools or to external authoritative providers

Pool Management

Manage multiple backend pools for routing zones to different DNS providers

DNS Security

Configure TSIG keys, DNSSEC, and zone access policies