[Freeipa-devel] How to support Designate?

[Petr Spacek]

On 8.7.2015 19:56, Rich Megginson wrote:
> On 07/08/2015 10:11 AM, Petr Spacek wrote:
>> Assuming that Designate wants to own DNS and be Primary Master, it would be
>> awesome if they could support standard DNS UPDATE protocol (RFC 2136)
>> alongside their own JSON API.
>>
>> The JSON API is superset of DNS UPDATE protocol because it allows to add zones
>> but still, standard protocol would mean that standard client (possibly guest
>> OS inside VM) can update its records without any OpenStack dependency, which
>> is very much desirable.
>>
>> The use case here is to allow the guest OS to publish it's SSH key (which was
>> generated inside the VM after first boot) to prevent Man in the middle
>> attacks. The same goes for all other sorts of DANE/DNSSEC data or service
>> discovery using DNS, where a guest/container running a distributed service can
>> publish it's existence in DNS.
>>
>> DNS UPDATE supports GSS(API) for authentication via RFC 3007 and that is
>> widely supported, too.
>>
>> So DNS UPDATE is my biggest wish :-)
>>
> Ok.  There was a Designate blueprint for such a feature, but I can't find it
> and neither can the Designate guys.  There is a mention of nsupdate in the
> minidns blueprint, but that's about it.  The fact that Designate upstream
> can't find the bp suggests that this is not a high priority for them and will
> not likely implement it on their own i.e. we would have to contribute this
> feature.
> 
> If Designate had such a feature, how would this help us integrate FreeIPA with
> Designate?

It would greatly simplify integration with FreeIPA. There is a plan to support
DNS updates as described in RFC 2136 to push updates from FreeIPA servers to
external DNS servers, so we could use the same code to integrate with AD &
Designate at the same time.

(I'm sorry for the delay, it somehow slipped through the cracks.)

-- 
Petr^2 Spacek