[Freeipa-devel] [PATCH] 0017 Integrate realmdomains with IPA DNS

Martin Kosek mkosek at redhat.com
Fri Apr 12 10:44:40 UTC 2013 

On 04/12/2013 12:20 PM, Ana Krivokapic wrote:
> On 04/11/2013 03:03 PM, Alexander Bokovoy wrote:
>> On Thu, 11 Apr 2013, Ana Krivokapic wrote:
>>> On 04/11/2013 01:43 PM, Alexander Bokovoy wrote:
>>>> On Thu, 11 Apr 2013, Petr Spacek wrote:
>>>>> On 11.4.2013 13:24, Alexander Bokovoy wrote:
>>>>>> On Thu, 11 Apr 2013, Petr Spacek wrote:
>>>>>>> On 11.4.2013 13:09, Ana Krivokapic wrote:
>>>>>>>> Integrate realmdomains with IPA DNS
>>>>>>>>
>>>>>>>> Add an entry to realmdomains when a DNS zone is added to IPA.
>>>>>>>> Delete the
>>>>>>>> related entry from  realmdomains when the DNS zone is deleted from
>>>>>>>> IPA.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/3544
>>>>>>>
>>>>>>> I would add a TXT record as I described in
>>>>>>> https://fedorahosted.org/freeipa/ticket/3544#comment:8
>>>>>>>
>>>>>>> This integration probably should go to both commands, realmdomains-*
>>>>>>> dnszone-*.
>>>>>>>
>>>>>>> Any objections? AB?
>>>>>> Adding TXT record is probably harmless.
>>>>>>
>>>>>> I would actually add the TXT record creation only to realmdomains-* and
>>>>>> trigger it only in case we manage our DNS and DNS zone is there.
>>>>>> This way a hook from dnszone-add will trigger adding TXT record back
>>>>>> (via call to
>>>>>> realmdomains-mod --add and then TXT record addition from there). Also
>>>>>> the fact that admin added manually some domain to realmdomains mapping
>>>>>> means that it is implied to be used in obtaining TGTs, so TXT record is
>>>>>> helpful there as well.
>>>>>
>>>>> Okay, it makes sense. We will see how it will work in reality.
>>>>
>>>> One more thing to check is that we don't do this for our own domain.
>>>>
>>>
>>> Our own domain is already in realmdomains by default, and it cannot be
>>> removed from there. So I don't think any check related to our domain is
>>> necessary.
>> We shouldn't start creating TXT records for our own domain, that's what
>> I'm asking for here.
>>
>> Think about server install stage -- we start creating our own domain and
>> the hook then causes to create realmdomains entry for the domain,
>> causing realmdomains-mod code to raise ValidationError which is not
>> handled in dnszone-add code with this patch.
>>
>> Same for TXT record creation starting from realmdomains-mod side -- it
>> simply should avoid calling dnsrecord-add for the case we know wouldn't
>> work.
>>
> 
> I just realized that this ticket was not marked as RFE although it obviously is
> one. I fixed the ticket summary and wrote the design page for this enhancement:
> 
> http://www.freeipa.org/page/V3/DNS_realmdomains_integration
> 

Right, that was a good thing to do. I just have comment for the UPN enumeration
image which you linked in the RFE - can you please process it, upload to the
wiki and include in the overview? This will make the RFE page more appealing
and it will also prevent us from having a broken link when Alexander removes
the file from his temporary directory.

Thanks,
Martin

More information about the Freeipa-devel mailing list