[Freeipa-devel] [PATCH] 0017 Integrate realmdomains with IPA DNS
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 11 13:03:02 UTC 2013
On Thu, 11 Apr 2013, Ana Krivokapic wrote:
>On 04/11/2013 01:43 PM, Alexander Bokovoy wrote:
>> On Thu, 11 Apr 2013, Petr Spacek wrote:
>>> On 11.4.2013 13:24, Alexander Bokovoy wrote:
>>>> On Thu, 11 Apr 2013, Petr Spacek wrote:
>>>>> On 11.4.2013 13:09, Ana Krivokapic wrote:
>>>>>> Integrate realmdomains with IPA DNS
>>>>>>
>>>>>> Add an entry to realmdomains when a DNS zone is added to IPA.
>>>>>> Delete the
>>>>>> related entry from realmdomains when the DNS zone is deleted from
>>>>>> IPA.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/3544
>>>>>
>>>>> I would add a TXT record as I described in
>>>>> https://fedorahosted.org/freeipa/ticket/3544#comment:8
>>>>>
>>>>> This integration probably should go to both commands, realmdomains-*
>>>>> dnszone-*.
>>>>>
>>>>> Any objections? AB?
>>>> Adding TXT record is probably harmless.
>>>>
>>>> I would actually add the TXT record creation only to realmdomains-* and
>>>> trigger it only in case we manage our DNS and DNS zone is there.
>>>> This way a hook from dnszone-add will trigger adding TXT record back
>>>> (via call to
>>>> realmdomains-mod --add and then TXT record addition from there). Also
>>>> the fact that admin added manually some domain to realmdomains mapping
>>>> means that it is implied to be used in obtaining TGTs, so TXT record is
>>>> helpful there as well.
>>>
>>> Okay, it makes sense. We will see how it will work in reality.
>>
>> One more thing to check is that we don't do this for our own domain.
>>
>
>Our own domain is already in realmdomains by default, and it cannot be
>removed from there. So I don't think any check related to our domain is
>necessary.
We shouldn't start creating TXT records for our own domain, that's what
I'm asking for here.
Think about server install stage -- we start creating our own domain and
the hook then causes to create realmdomains entry for the domain,
causing realmdomains-mod code to raise ValidationError which is not
handled in dnszone-add code with this patch.
Same for TXT record creation starting from realmdomains-mod side -- it
simply should avoid calling dnsrecord-add for the case we know wouldn't
work.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list