[Freeipa-devel] DNS/bind-dyndb-ldap development plans

Mon Mar 19 13:34:41 UTC 2012

Hello list,

there are several big features, that are missing in IPA DNS/plugin now. 
So we have to triage "big features" for next plugin development.

In short - there is a list of biggest features:
- DNSSEC (Domain Name System Security Extensions) support
- IDN (Internationalized Domain Names) support
- DNS test suite
- Push dynamic database API to upstream
- More flexible/BIND equivalent record format
- "Never ending stories" about code quality etc.

All details for each big item is below. BIND LDAP plugin Trac contains a 
lot of minor things + placeholders for some big features.
URL: https://fedorahosted.org/bind-dyndb-ldap/report/3

DNSSEC (Domain Name System Security Extensions) support
-------------------------------------------------------
There are some problems to be solved. After discussion with Adam I think 
it is doable. It requires some effort, but IMHO it is crucial feature 
for future.

BIND supports DNSSEC from RHEL5. Fedora 17 will have client side 
support. There should not be any interoperability problem with DNSSEC 
client & not-DNSSEC-aware server (i.e. current IPA).

https://fedorahosted.org/bind-dyndb-ldap/ticket/56

IDN (Internationalized Domain Names) support
--------------------------------------------
Non ASCII domain names are encoded to ASCII strings. Theoretically it IS 
supported now in plugin, from plugin point of view it is nothing special.
Another side is support for encoding/decoding strings in all our 
utilities, documentation and testing.

Nowadays it's supported in DNS system from top-level and it's usable.

The Question: Is there any user of this? I'm not really sure if somebody 
really uses IDN. But people with non-latin alphabet will probably have 
another opinion :-)

https://fedorahosted.org/bind-dyndb-ldap/ticket/58

DNS test suite
--------------
We don't have any test suite now. Everything is tested manually, usually 
with dig. (Same situation is there with BIND package.)

Several open source DNS tests are around on Internet. All of them are 
partial and they are usually unmaintained. Test them, select best 
pieces, write what will be missing and combine it to our DNS test suite.

It would be better to start separate "dnstest" project or something 
similar. It can start from simple packaging of selected tools for Fedora 
and then start to integrate them to own test suite.

Our client interface is plain DNS protocol, so it can be reused for BIND 
or any other DNS server.

Push dynamic database API to upstream
-------------------------------------
I got detailed information from Adam. Situation is better than I knew a 
week ago during meeting.
Basically, ISC can accept current API, but there are some requirements:
- small code clean-up (not a big thing)
- complete documentation (of course)
- some sort of API tests
- example driver with *BSD* license, GPL is not acceptable

Really simple driver is acceptable (without any dynamic things), so I 
think it is doable.

I think it will be better to push API to upstream after deep DNSSEC 
inspection and implementation design, some problems can arise...

More flexible/BIND equivalent record format
-------------------------------------------
Current record format in LDAP is less powerful than BIND's. Generally, 
each record can have own TTL value, see RFC1035 
http://tools.ietf.org/html/rfc1035 section 5.1.
We allow only single value per name, so it's not possible to have e.g. 
single name with long-term A record and short term LOC record.

It probably leads to some performance degradation in some special cases, 
but generally it's not a problem. I think it's very-long-term "nice to 
have". (It is good to remember to this problem in meantime.)

Problem is, that this change will affect LDAP scheme and whole DNS UI, 
so it's very problematic.

Never ending stories (in progress, of course :-)
--------------------
- improve error handling
- improve configuration (local overriding etc.)
- stabilize persistent search
- performance optimization

Thanks for you patience and sorry for long mail.

Petr^2 Spacek