feat(dns): serve forward A/AAAA for overlay instance addresses

chet · chet · commit dfbad977266b · 2026-06-23T00:06:39.000-07:00
Overlay (DPU-managed) instances allocate their addresses from a segment's pool into instance_addresses -- addresses that never reach machine_interface_addresses, so the forward DNS views never published them and a tenant could not resolve an overlay instance by name. This serves them: each overlay instance address now answers a forward A/AAAA record, named by its address under the segment's forward zone -- the same IP-derived form the host-naming strategy uses elsewhere. Forward records are served entirely by the dns_records SQL view, so this is a new view arm rather than any resolver change. - Add a dns_records_instance view over instance_addresses joined to its segment's forward zone (network_segments.subdomain_id), and attach it to the served dns_records view. - Re-introduce nico_inet_to_dns_hostname to name records by their fully expanded address, matching the Rust address_to_hostname -- it had been removed as an orphan; the path it once fed is the on-a-machine case the shortname view already covers, so it now has its first real consumer. - Skip host_inband segments: those addresses are the host's own and are already published by the shortname view. Tests added! This supports #2408 Signed-off-by: Chet Nichols III <chetn@nvidia.com>
diff --git a/crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql b/crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql
@@ -0,0 +1,118 @@
+-- Serve forward A/AAAA DNS for overlay (DPU-managed) instances.
+--
+-- An overlay instance's addresses are allocated from its segment's pool and live
+-- only in `instance_addresses` -- they never reach `machine_interface_addresses`,
+-- so the shortname/adm views never published them and overlay instances had no
+-- forward record. This adds an instance arm to the served `dns_records` view,
+-- sourced from `instance_addresses` joined to its segment's forward zone
+-- (`network_segments.subdomain_id`). A segment without a forward zone publishes
+-- nothing, by construction.
+--
+-- host_inband instances are excluded: their address *is* the host's own interface
+-- address, already in `machine_interface_addresses` and already served by the
+-- shortname view -- serving it here too would duplicate it.
+--
+-- The published name is the address itself in the host-naming strategy's
+-- IP-derived form (`<dashed-address>.<zone>.`). `nico_inet_to_dns_hostname`
+-- returns to derive it: it was removed in 20260622072105 as an orphan (the view
+-- it fed read instance IPs from `network_config` JSON joined via `machine_id` --
+-- the on-a-machine path the shortname view already covers, which is why it was
+-- dead), and now has a live consumer in the `instance_addresses` path below.
+
+CREATE OR REPLACE FUNCTION nico_inet_to_dns_hostname(address inet)
+RETURNS text
+LANGUAGE plpgsql
+IMMUTABLE
+STRICT
+AS $$
+DECLARE
+    address_text text;
+    parts text[];
+    left_groups text[] := ARRAY[]::text[];
+    right_groups text[] := ARRAY[]::text[];
+    groups text[] := ARRAY[]::text[];
+    embedded_ipv4_text text;
+    embedded_ipv4_parts text[];
+    missing_groups integer;
+    hostname text;
+BEGIN
+    IF family(address) = 4 THEN
+        RETURN replace(host(address), '.', '-');
+    END IF;
+
+    address_text := host(address);
+    embedded_ipv4_text := substring(
+        address_text FROM '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})$'
+    );
+    IF embedded_ipv4_text IS NOT NULL THEN
+        embedded_ipv4_parts := string_to_array(embedded_ipv4_text, '.');
+        address_text := regexp_replace(
+            address_text,
+            '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})$',
+            to_hex(embedded_ipv4_parts[1]::integer * 256 + embedded_ipv4_parts[2]::integer)
+                || ':'
+                || to_hex(embedded_ipv4_parts[3]::integer * 256 + embedded_ipv4_parts[4]::integer)
+        );
+    END IF;
+
+    parts := regexp_split_to_array(address_text, '::');
+
+    IF parts[1] IS NOT NULL AND parts[1] != '' THEN
+        left_groups := string_to_array(parts[1], ':');
+    END IF;
+
+    IF cardinality(parts) > 1 AND parts[2] != '' THEN
+        right_groups := string_to_array(parts[2], ':');
+    END IF;
+
+    missing_groups := 8 - cardinality(left_groups) - cardinality(right_groups);
+    IF missing_groups < 0 THEN
+        RAISE EXCEPTION 'invalid IPv6 address expansion for %', address_text;
+    END IF;
+
+    groups := left_groups;
+    IF missing_groups > 0 THEN
+        groups := groups || array_fill('0'::text, ARRAY[missing_groups]);
+    END IF;
+    groups := groups || right_groups;
+
+    IF cardinality(groups) != 8 THEN
+        RAISE EXCEPTION 'invalid IPv6 address expansion for %', address_text;
+    END IF;
+
+    SELECT string_agg(lpad(lower(group_text), 4, '0'), '-' ORDER BY group_index)
+    INTO hostname
+    FROM unnest(groups) WITH ORDINALITY AS expanded(group_text, group_index);
+
+    RETURN hostname;
+END;
+$$;
+
+-- Forward A/AAAA records for overlay-instance addresses, named by the IP-derived
+-- hostname under the segment's forward zone. host_inband segments are excluded
+-- (their addresses are the host's own, served by the shortname view).
+CREATE OR REPLACE VIEW dns_records_instance AS
+SELECT
+    concat(nico_inet_to_dns_hostname(ia.address), '.', d.name, '.') AS q_name,
+    ia.address AS resource_record,
+    (CASE WHEN family(ia.address) = 6 THEN 'AAAA' ELSE 'A' END)::varchar(10) AS q_type,
+    NULL::integer AS ttl,
+    d.id AS domain_id
+FROM
+    instance_addresses ia
+    JOIN network_segments ns ON ns.id = ia.segment_id
+    JOIN domains d ON d.id = ns.subdomain_id
+WHERE
+    ns.network_segment_type <> 'host_inband';
+
+-- Re-publish the combined view with the instance arm attached.
+DROP VIEW IF EXISTS dns_records;
+
+CREATE OR REPLACE VIEW dns_records AS
+SELECT *
+FROM
+  dns_records_shortname_combined
+  FULL JOIN dns_records_adm_combined USING (q_name, resource_record, q_type, ttl, domain_id)
+  FULL JOIN dns_records_bmc_host_id USING (q_name, resource_record, q_type, ttl, domain_id)
+  FULL JOIN dns_records_bmc_dpu_id USING (q_name, resource_record, q_type, ttl, domain_id)
+  FULL JOIN dns_records_instance USING (q_name, resource_record, q_type, ttl, domain_id);
diff --git a/crates/api-db/src/dns/resource_record.rs b/crates/api-db/src/dns/resource_record.rs
@@ -199,3 +199,167 @@ pub async fn get_all_records(
         .await
         .map_err(|e| DatabaseError::query(query, e))
 }
+
+#[cfg(test)]
+mod tests {
+    use carbide_uuid::instance::InstanceId;
+    use carbide_uuid::network::NetworkSegmentId;
+    use model::dns::NewDomain;
+
+    use super::find_record;
+    use crate::dns::domain;
+
+    /// Seed a machine, an instance on it, a forward zone, and a network segment of
+    /// `segment_type` whose forward zone is that domain. Returns the instance and
+    /// segment so a caller can attach addresses and look them up.
+    async fn seed_instance_segment(
+        conn: &mut sqlx::PgConnection,
+        zone: &str,
+        segment_type: &str,
+    ) -> (InstanceId, NetworkSegmentId) {
+        let zone_domain = domain::persist(NewDomain::new(zone.to_string()), conn)
+            .await
+            .unwrap();
+        sqlx::query("INSERT INTO machines (id, dpf) VALUES ($1, '{}'::jsonb)")
+            .bind("test-machine-2408")
+            .execute(&mut *conn)
+            .await
+            .unwrap();
+        let instance_id: InstanceId =
+            sqlx::query_scalar("INSERT INTO instances (machine_id) VALUES ($1) RETURNING id")
+                .bind("test-machine-2408")
+                .fetch_one(&mut *conn)
+                .await
+                .unwrap();
+        let segment_id: NetworkSegmentId = sqlx::query_scalar(
+            "INSERT INTO network_segments (name, version, network_segment_type, subdomain_id)
+             VALUES ($1, $2, $3::network_segment_type_t, $4) RETURNING id",
+        )
+        .bind("seg-2408")
+        .bind("1")
+        .bind(segment_type)
+        .bind(zone_domain.id)
+        .fetch_one(&mut *conn)
+        .await
+        .unwrap();
+        (instance_id, segment_id)
+    }
+
+    async fn add_address(
+        conn: &mut sqlx::PgConnection,
+        instance_id: InstanceId,
+        segment_id: NetworkSegmentId,
+        address: &str,
+        prefix: &str,
+    ) {
+        sqlx::query(
+            "INSERT INTO instance_addresses (instance_id, address, segment_id, prefix)
+             VALUES ($1::uuid, $2::inet, $3::uuid, $4::cidr)",
+        )
+        .bind(instance_id)
+        .bind(address)
+        .bind(segment_id)
+        .bind(prefix)
+        .execute(conn)
+        .await
+        .unwrap();
+    }
+
+    #[crate::sqlx_test]
+    async fn overlay_instance_addresses_are_served_forward(pool: sqlx::PgPool) {
+        let mut txn = pool.begin().await.unwrap();
+        let (instance_id, segment_id) =
+            seed_instance_segment(txn.as_mut(), "tenant.example.com", "tenant").await;
+        add_address(
+            txn.as_mut(),
+            instance_id,
+            segment_id,
+            "10.1.2.3",
+            "10.1.2.0/24",
+        )
+        .await;
+        add_address(
+            txn.as_mut(),
+            instance_id,
+            segment_id,
+            "2001:db8:abcd::2",
+            "2001:db8:abcd::/64",
+        )
+        .await;
+
+        // IPv4 -> A, named by the dashed address under the segment's forward zone.
+        let v4 = find_record(txn.as_mut(), "10-1-2-3.tenant.example.com.")
+            .await
+            .unwrap();
+        assert_eq!(v4.len(), 1, "one A record for the overlay address");
+        assert_eq!(v4[0].q_type, "A");
+        assert_eq!(
+            v4[0].record.parse::<std::net::IpAddr>().unwrap(),
+            "10.1.2.3".parse::<std::net::IpAddr>().unwrap()
+        );
+
+        // IPv6 -> AAAA, named by the fully expanded address.
+        let v6 = find_record(
+            txn.as_mut(),
+            "2001-0db8-abcd-0000-0000-0000-0000-0002.tenant.example.com.",
+        )
+        .await
+        .unwrap();
+        assert_eq!(v6.len(), 1, "one AAAA record for the overlay address");
+        assert_eq!(v6[0].q_type, "AAAA");
+        assert_eq!(
+            v6[0].record.parse::<std::net::IpAddr>().unwrap(),
+            "2001:db8:abcd::2".parse::<std::net::IpAddr>().unwrap()
+        );
+    }
+
+    #[crate::sqlx_test]
+    async fn host_inband_instance_addresses_are_not_served_here(pool: sqlx::PgPool) {
+        // A host_inband instance address *is* the host's own interface address,
+        // already published by the shortname view -- the instance arm must skip it
+        // so it is not served twice.
+        let mut txn = pool.begin().await.unwrap();
+        let (instance_id, segment_id) =
+            seed_instance_segment(txn.as_mut(), "host.example.com", "host_inband").await;
+        add_address(
+            txn.as_mut(),
+            instance_id,
+            segment_id,
+            "10.9.9.9",
+            "10.9.9.0/24",
+        )
+        .await;
+
+        let records = find_record(txn.as_mut(), "10-9-9-9.host.example.com.")
+            .await
+            .unwrap();
+        assert!(
+            records.is_empty(),
+            "host_inband addresses are not published by the instance arm"
+        );
+    }
+
+    #[crate::sqlx_test]
+    async fn nico_inet_to_dns_hostname_matches_host_naming_contract(pool: sqlx::PgPool) {
+        // The view derives instance names with this SQL function; the rest of the
+        // system derives address hostnames with the Rust
+        // `host_naming::address_to_hostname` helper. They must agree so a forward
+        // record and its eventual PTR round-trip. These are that helper's own vectors.
+        let mut txn = pool.begin().await.unwrap();
+        for (address, expected) in [
+            ("192.168.1.0", "192-168-1-0"),
+            (
+                "2001:db8:abcd::2",
+                "2001-0db8-abcd-0000-0000-0000-0000-0002",
+            ),
+            ("::1", "0000-0000-0000-0000-0000-0000-0000-0001"),
+        ] {
+            let got: String = sqlx::query_scalar("SELECT nico_inet_to_dns_hostname($1::inet)")
+                .bind(address)
+                .fetch_one(txn.as_mut())
+                .await
+                .unwrap();
+            assert_eq!(got, expected, "SQL hostname for {address}");
+        }
+    }
+}
