[Freeipa-devel] routing requests to local servers - DNS SRV [discussion needed]

Petr Spacek pspacek at redhat.com
Thu May 24 17:07:21 UTC 2012 

Hello,

some time ago there was a request for DNS to support "routing requests to 
local servers". Any opinions if/when do it and proposals how to do it are more 
than welcome. My best knowledge about this problem follows:


This request actually means "differentiate answer to DNS query on client's IP 
address basics".
Relevant thread on ipa-users-list:
https://www.redhat.com/archives/freeipa-users/2012-April/msg00070.html

First question is: Do we want to implement it?
(IMHO it is very important for large-scale deployments.)


It is related to IPA ticket #122 at architecture level:
IPA DNS integration should support GeoIP
https://fedorahosted.org/freeipa/ticket/122
IMHO it is better to support generic "locations" defined by user than real Geo-IP:
- at least private IP addresses will be problematic
- real Geo-IP database is huge and can slow all things down


Bind-dyndb-ldap plugin supports BIND "views" already. It should be possible to 
define multiple plugin instances with different ldap search base and let it to 
serve records.

The main problem problem is managing DNS subtree in LDAP. With current 
implementation you have to copy whole subtree to another place and then change 
necessary records. Problem is with maintaining "base" (non-overridden) records 
- you have to do same change n-times.


Adam and I discussed possible approaches. We agreed on "stackable" approach:
- Store whole original DNS tree in one subtree, let say "base".
- Create "override" subtrees for each "locality" = set of customized records. 
Shared records are only in "base". During DNS query processing "override" 
subtree is searched first. If record does not exist in "override" subtree, 
search will continue in "base" subtree.


Second question is how to realize these "overrides":
- Let Directory Server to do the work. If DS supports this, it is mostly done.
It do not require any change in bind-dyndb-ldap code. All merges/overrides 
will be done on Directory server. Only /etc/named.conf has to be adjusted with 
right search base and "view" clause.

I asked on 389 mailing list and I'm waiting for reply:
http://lists.fedoraproject.org/pipermail/389-users/2012-May/014653.html


- Another approach is to add support directly to bind-dyndb-ldap, but it is 
not so nice solution. In that case both LDAP search bases have to be defined 
in /etc/named.conf. For each DNS query is necessary to search "override" base 
first. If required record is not present then is necessary to search through 
"base" subtree.
With persistent search it should be better, because all records are in memory, 
but basic principle remains same.


Thanks for all opinions.

Petr^2 Spacek

More information about the Freeipa-devel mailing list