[Freeipa-devel] Structured DNS record API proposal

Adam Tkac atkac at redhat.com
Thu Sep 15 08:26:50 UTC 2011 

On 09/14/2011 06:18 PM, Martin Kosek wrote:
> Attached in the txt file. If you have any comments or suggestions to
> this proposal, please let me know.
>
> https://fedorahosted.org/freeipa/ticket/1766

Your proposal seems fine for me. However I would recommend not to expose 
routines for managing DNSSEC related records because DNSSEC is currently 
not supported in the bind-dyndb-ldap. This doesn't mean you should 
remove code which handles those records, just don't expose them to 
users, please. Routines can be reused in future, when we decide how to 
handle DNSSEC in FreeIPA.

I checked the "dnsrecord-<rrtype>-add" list below and DNSSEC related 
records are DS, KEY, NSEC, RRSIG, SIG.

Regards, Adam

>
> new-dns-api.txt
>
>
> https://fedorahosted.org/freeipa/ticket/1766
>
> This is a proposal for API for per-DNS-type interface in FreeIPA.
>
> There are many structured DNS RR types where DNS data is not just an IP address or a domain name, but a (often complex) data structure. Example of adding a structured DNS RR (LOC in this case):
>
> ipa dnsrecord-add example.com @ --loc-rec "49 11 42.4 N 16 36 29.6 E 227.64m"
>
> It may be difficult to enter such DNS record to FreeIPA without making error (which would lead to invalid zone in this case). For this reason, I have created at least basic validators in my patch 120 (ticket 1106).
>
> GOAL:
> Create API useful for both CLI and WebUI capable of creating these structured DNS types
>
> CURRENT API:
> ipa dnsrecord-add    Add new DNS resource record.
> ipa dnsrecord-del    Delete DNS resource record.
> ipa dnsrecord-find   Search for DNS resources.
> ipa dnsrecord-mod    Modify a DNS resource record.
> ipa dnsrecord-show   Display DNS resource.
>
> PROPOSED API IMPROVEMENT:
> Proposed API for all supported structured DNS follows:
>
> ipa dnsrecord-afsdb-add --subtype=INT --hostname=STR
> ipa dnsrecord-cert-add --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR
> ipa dnsrecord-ds-add --tag=INT --algorithm=ENUM --type=ENUM --digest=STR
> ipa dnsrecord-key-add --flags=LIST --protocol=INT --algorithm=ENUM --digest=STR
> ipa dnsrecord-kx-add --preference=INT --exchanger=STR
> ipa dnsrecord-loc-add --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT
> ipa dnsrecord-mx-add --priority=INT --mailserver=STR
> ipa dnsrecord-nsec-add --next=STR --types=LIST
> ipa dnsrecord-naptr-add --order=INT --preference=INT --flag=ENUM --service=STR --regexp=STR --replacement=STR
> ipa dnsrecord-sig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR
> ipa dnsrecord-srv-add --priority=INT --weight=INT --port=INT --target=STR
> ipa dnsrecord-sshfp-add --algorithm=ENUM --type=ENUM --fingerprint=STR
> ipa dnsrecord-rrsig-add  --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR
>
> To support also modification of current records (i.e. replacement) we can add a "mod" equivalent, e.g.:
> ipa dnsrecord-afsdb-mod --subtype=INT --hostname=STR
> ipa dnsrecord-cert-mod --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR
> ...
>
> I think this is what WebUI guys will want.
>
>
> EXAMPLE OF OPTIONS:
> The available options for particular RR types will be based on RFC research I have already done for my patch 120. Lets see how the API will look.
>
> 1) LOC record example noted in the begging:
>
> ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-min=11 --lat-sec=42.4 --lat-dir=N --lon-deg=16 --lon-min=36 --lon-sec=29.6 --lon-dir=E --alt=227.64
>
> Good thing about options is that we can divide then to mandatory and optional and provide defaults. In this case, one can enter imprecise LOC record with:
>
> ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-dir=N --lon-deg=16 --lon-dir=E
>
>
> 2) Another example with CERT RR type:
>
> CURRENT API:
> ipa dnsrecord-add example.com foo --cert-rec="1 0 5 MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG"
>
> NEW API:
> ipa dnsrecord-cert-add example.com foo --type=PKIX --tag=0 --algorithm=RSASHA1 --certificate=MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG"
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list