[Freeipa-devel] Structured DNS record API proposal - summary

Martin Kosek mkosek at redhat.com
Fri Sep 23 15:13:09 UTC 2011 

On Fri, 2011-09-23 at 10:46 -0400, Adam Young wrote:
> On 09/23/2011 02:02 AM, Martin Kosek wrote:
> > On Thu, 2011-09-22 at 22:05 -0400, Adam Young wrote:
> >> On 09/22/2011 08:31 PM, Endi Sukma Dewata wrote:
> >>>> OPEN QUESTION: should we implement these new commands also for discrete
> >>>> DNS records types to be consistent? I mean for example A, AAAA, CNAME,
> >>>> PTR, ... They would look like
> >>>>
> >>>>> ipa dnsrecord-aaaa-add --ip-address=IPAddress
> >>>> BENEFITS of this approach (command per RR type):
> >>>> - use can get all help for RR type by simply typing "ipa help
> >>>> dnsrecord-mx-add"
> >>>> - we would be able to implement helper methods consistently on one
> >>>> place, for example:
> >>>> dnsrecord-aaaa-add --from-mac=00:1D:BA:06:37:64
> >>> If we have this for all record types the UI can use a generic code to
> >>> figure out which command to use. Everything will be in this pattern:
> >>> dnsrecord-<rrtype>-add/mod/del<primary keys>  [parameters*]
> >> We won't have it for all types, so we will need a map.  Most  will use
> >> the old API, and a few will use the pattern above
> > I think to make this all as consistent as possible, new API shall be
> > implemented for all types (except unsupported and DNSSEC ones). Rob did
> > agree with this approach too.
> >
> > Martin
> >
> 
> 
> Lets proceed with caution here.  I think we can really complicate things 
> with this approach.

Ok, lets see...

> 
>  From a UI perspective, we will have to tailor the  control to be used 
> for any DNS record type that gets more than a single field.
> 
>  From what I've seen, and the types we have to deal with thus far, only 
> the SRV and MX records  are really used that much.  Lets implement for 
> them  first and test it out.
> 
> For certificate based records,  DNS and otherwise, we want to get file 
> upload working, as cut and paste etc is a PITA.  I'm not sure if we 
> really need the Cert based records, but I suspect that, from a Dogtag 
> perspective, there is a lot of things we could do with a tight 
> integration of the two.  I can even see an API where we generate a Cert 
> based record  from a Certificate Signing Request.
> 

That's the benefit of command-per-type approach. We could implement some
helpers to dnsrecord-cert-add when file upload is ready or we specify a
way to cooperate with dogtag there.

> 
> For A  and AAAA records, we don't need a new API, we need a pattern.  
> For A record  that pattern is:
> 
> \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b 
> 
> 
> 
> For AAAA records that is:
> /^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$/ 
> 
> 
> 
> Yep, they are nasty.  But that is going to be the case regardless of 
> whether we use the new API or not.
> 

I agree - that's not pretty. On the server side, I would like to use
services of python-netaddr package. This package is able to validate
both A or AAAA records. I don't see the benefit of using own regex
instead.

> 
> 
> Lets deal with these issues, and hold  the API explosion  until later.

Martin

More information about the Freeipa-devel mailing list