[Freeipa-devel] [PATCH] 0017 Integrate realmdomains with IPA DNS

Ana Krivokapic akrivoka at redhat.com
Fri Apr 12 11:26:42 UTC 2013 

On 04/12/2013 12:44 PM, Martin Kosek wrote:
> On 04/12/2013 12:20 PM, Ana Krivokapic wrote:
>> On 04/11/2013 03:03 PM, Alexander Bokovoy wrote:
>>> On Thu, 11 Apr 2013, Ana Krivokapic wrote:
>>>> On 04/11/2013 01:43 PM, Alexander Bokovoy wrote:
>>>>> On Thu, 11 Apr 2013, Petr Spacek wrote:
>>>>>> On 11.4.2013 13:24, Alexander Bokovoy wrote:
>>>>>>> On Thu, 11 Apr 2013, Petr Spacek wrote:
>>>>>>>> On 11.4.2013 13:09, Ana Krivokapic wrote:
>>>>>>>>> Integrate realmdomains with IPA DNS
>>>>>>>>>
>>>>>>>>> Add an entry to realmdomains when a DNS zone is added to IPA.
>>>>>>>>> Delete the
>>>>>>>>> related entry from  realmdomains when the DNS zone is deleted from
>>>>>>>>> IPA.
>>>>>>>>>
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/3544
>>>>>>>> I would add a TXT record as I described in
>>>>>>>> https://fedorahosted.org/freeipa/ticket/3544#comment:8
>>>>>>>>
>>>>>>>> This integration probably should go to both commands, realmdomains-*
>>>>>>>> dnszone-*.
>>>>>>>>
>>>>>>>> Any objections? AB?
>>>>>>> Adding TXT record is probably harmless.
>>>>>>>
>>>>>>> I would actually add the TXT record creation only to realmdomains-* and
>>>>>>> trigger it only in case we manage our DNS and DNS zone is there.
>>>>>>> This way a hook from dnszone-add will trigger adding TXT record back
>>>>>>> (via call to
>>>>>>> realmdomains-mod --add and then TXT record addition from there). Also
>>>>>>> the fact that admin added manually some domain to realmdomains mapping
>>>>>>> means that it is implied to be used in obtaining TGTs, so TXT record is
>>>>>>> helpful there as well.
>>>>>> Okay, it makes sense. We will see how it will work in reality.
>>>>> One more thing to check is that we don't do this for our own domain.
>>>>>
>>>> Our own domain is already in realmdomains by default, and it cannot be
>>>> removed from there. So I don't think any check related to our domain is
>>>> necessary.
>>> We shouldn't start creating TXT records for our own domain, that's what
>>> I'm asking for here.
>>>
>>> Think about server install stage -- we start creating our own domain and
>>> the hook then causes to create realmdomains entry for the domain,
>>> causing realmdomains-mod code to raise ValidationError which is not
>>> handled in dnszone-add code with this patch.
>>>
>>> Same for TXT record creation starting from realmdomains-mod side -- it
>>> simply should avoid calling dnsrecord-add for the case we know wouldn't
>>> work.
>>>
>> I just realized that this ticket was not marked as RFE although it obviously is
>> one. I fixed the ticket summary and wrote the design page for this enhancement:
>>
>> http://www.freeipa.org/page/V3/DNS_realmdomains_integration
>>
> Right, that was a good thing to do. I just have comment for the UPN enumeration
> image which you linked in the RFE - can you please process it, upload to the
> wiki and include in the overview? This will make the RFE page more appealing
> and it will also prevent us from having a broken link when Alexander removes
> the file from his temporary directory.
>
> Thanks,
> Martin

Sure, done.

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

More information about the Freeipa-devel mailing list