[Freeipa-devel] FreeIPA integration with external DNS services

Wed Dec 10 14:13:30 UTC 2014

On 9.12.2014 13:40, Martin Kosek wrote:
> On 12/03/2014 05:04 PM, Petr Spacek wrote:
>> On 2.12.2014 17:21, Simo Sorce wrote:
>>> On Tue, 02 Dec 2014 15:56:28 +0100
>>> Petr Spacek <pspacek at redhat.com> wrote:
>>>
>>>> On 1.12.2014 17:12, Simo Sorce wrote:
>>>>> On Mon, 01 Dec 2014 16:17:54 +0100
>>>>> Petr Spacek <pspacek at redhat.com> wrote:
>>>>>
>>>>>> On 14.11.2014 17:31, Petr Spacek wrote:
>>>>>>> On 14.11.2014 02:22, Simo Sorce wrote:
>>>>>>>> On Tue, 11 Nov 2014 16:29:51 +0100
>>>>>>>> Petr Spacek <pspacek at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> this thread is about RFE
>>>>>>>>> "IPA servers when installed should register themselves in the
>>>>>>>>> external DNS" https://fedorahosted.org/freeipa/ticket/4424
>>>>>>>>>
>>>>>>>>> It is not a complete design, just a raw idea.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Use case
>>>>>>>>> ========
>>>>>>>>> FreeIPA installation to a network with existing DNS
>>>>>>>>> infrastructure + network administrator who is not willing to
>>>>>>>>> add/maintain new DNS servers "just for FreeIPA".
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> High-level idea
>>>>>>>>> ===============
>>>>>>>>> - Transform dns* commands from FreeIPA framework to equivalent
>>>>>>>>> "nsupdate" commands and send DNS updates to existing DNS
>>>>>>>>> servers.
>>>>>>>>> - Provide necessary encryption/signing keys to nsupdate.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 1) Integration to FreeIPA framework
>>>>>>>>> ===================================
>>>>>>>>> First of all, we need to decide if "external DNS integration"
>>>>>>>>> can be used at the same time with FreeIPA-integrated DNS or not.
>>>>>>>>> Side-question is what to do if a first server is installed with
>>>>>>>>> external-DNS but another replica is being installed with
>>>>>>>>> integrated-DNS and so on.
>>>>>>>>
>>>>>>>> I think being able to integrate with an external DNS is
>>>>>>>> important, and not just at the server level, being able to
>>>>>>>> distribute TSIG keys to client would be nice too, though a lot
>>>>>>>> less important, than getting server integration..
>>>>>>>
>>>>>>> Using TSIG on many clients is very problematic. Keep in mind that
>>>>>>> TSIG is basically HMAC computed using symmetric key so:
>>>>>>> a) Every client would have to use the same key - this is a
>>>>>>> security nightmare. b) We would have to distribute and maintain
>>>>>>> many keys for many^2 clients, which is an administrative
>>>>>>> nightmare.
>>>>>>>
>>>>>>> For *clients* I would rather stay with GSS-TSIG which is much more
>>>>>>> manageable because we can use Kerberos trust and Keytab
>>>>>>> distribution is already solved by ipa-client-install.
>>>>>>>
>>>>>>> Alternative for clients would be to use FreeIPA server as proxy
>>>>>>> which encapsulates TSIG keys and issues update requests on behalf
>>>>>>> of clients. This would be FreeIPA-specific but any
>>>>>>> TSIG-distribution mechanism will be FreeIPA-specific anyway.
>>>>>>>
>>>>>>> TSIG standard explicitly says that there is no standardized
>>>>>>> distribution mechanism.
>>>>>>>
>>>>>>>>> In other words, the question is if current "dns.py" plugin
>>>>>>>>> shipped with FreeIPA framework should be:
>>>>>>>>>
>>>>>>>>> a) Extended dns.py with dnsexternal-* commands
>>>>>>>>> ----------------------------------------------
>>>>>>>>> Disadvantages:
>>>>>>>>> - It complicate FreeIPA DNS interface which is a complex beast
>>>>>>>>> even now.
>>>>>>>>> - We would have add condition to every DNS API call in
>>>>>>>>> installers which would increase horribleness of the installer
>>>>>>>>> code even more (or add another layer of abstraction...).
>>>>>>>>
>>>>>>>> I agree having a special command is undesirable.
>>>>>>>>>
>>>>>>>>> - I don't see a point in using integrated-DNS with external-DNS
>>>>>>>>> at the same time. To use integrated-DNS you have to get a
>>>>>>>>> proper DNS delegation from parent domain - and if you can get
>>>>>>>>> the delegation then there is no point in using external DNS ...
>>>>>>>>
>>>>>>>> I disagree on this point, it makes a lot of sense to have some
>>>>>>>> zones maintained by IPA and ... some not.
>>>>>>>>
>>>>>>>>> Advantages:
>>>>>>>>> - You can use external & integrated DNS at the same time.
>>>>>>>>
>>>>>>>> We can achieve the same w/o a new ipa level command.
>>>>>>>
>>>>>>> This needs to be decided by FreeIPA framework experts ...
>>>>>>>
>>>>>>> Petr^3 came up with clever 'proxy' idea for IPA-commands. This
>>>>>>> proxy would provide all ipa dns* commands and dispatch user-issued
>>>>>>> commands to appropriate FreeIPA-plugin (internal-dns or
>>>>>>> external-dns). This decision could depend on some values in LDAP.
>>>>>>>
>>>>>>>>> b) Replace dns.py with another implementation of current
>>>>>>>>> dnszone-* & dnsrecord-* API.
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>> This seems like a cleaner approach to me. It could be shipped as
>>>>>>>>> ipa-server-dns-external package (opposed to "standard"
>>>>>>>>> ipa-server-dns package).
>>>>>>>>>
>>>>>>>>> Advantages:
>>>>>>>>> - It could seamlessly work with FreeIPA client installer because
>>>>>>>>> the dns*->nsupdate command transformation would be done on
>>>>>>>>> FreeIPA server and client doesn't need to know about it.
>>>>>>>>> - Does not require re-training/not much new documentation
>>>>>>>>> because commands are the same.
>>>>>>>>>
>>>>>>>>> Disadvantages:
>>>>>>>>> - You can't use integrated & external DNS at the same time (but
>>>>>>>>> I don't think it justifies the added complexity).
>>>>>>>>
>>>>>>>> I disagree.
>>>>>>>>
>>>>>>>> One of the reason to use a mix is to allow smooth migrations
>>>>>>>> where zones are moved into (or out of) IPA one by one.
>>>>>>>
>>>>>>> Good point, I agree. I will focus on supporting both (internal and
>>>>>>> external) DNS at the same time.
>>>>>>>
>>>>>>>>> Petr^3 or anyone else, what do you propose?
>>>>>>>>
>>>>>>>> I think what I'd like to see is to be able to configure a DNS
>>>>>>>> zone in LDAP and mark it external.
>>>>>>>> The zone would held the TSIG keys necessary to perform DNS
>>>>>>>> updates.
>>>>>>>>
>>>>>>>> When the regular ipa dnsrecord-add etc... commands are called,
>>>>>>>> the framework detects that the zone is "external", fewttches the
>>>>>>>> TSIG key (if the user has access to it) and spawn an nsupdate
>>>>>>>> command that will perform the update against whatever DNS server
>>>>>>>> is authoritative for the zone.
>>>>>>>>
>>>>>>>> Some commands may be disabled if the zone is external and
>>>>>>>> appropriate errors would be returned.
>>>>>>>
>>>>>>> Correct, this will be inevitable.
>>>>>>>
>>>>>>>>> 2) Authentication to external DNS server/keys
>>>>>>>>> =============================================
>>>>>>>>> This is separate problem from FreeIPA framework integration.
>>>>>>>>> We will have to somehow store raw symmetric keys (for DNS TSIG)
>>>>>>>>> or keytabs (for DNS GSS-TSIG) and distribute them somehow to
>>>>>>>>> replicas so every replica can update DNS records as necessary.
>>>>>>>>
>>>>>>>> For TSIG keys I think we should just store them in a LDAP record,
>>>>>>>> see above.
>>>>>>>
>>>>>>> Without any encryption? Am I missing something?
>>>>>>>
>>>>>>>> For keytabs we can simply store them just like any  other
>>>>>>>> kerberos key if we really need it (in a trust case for example,
>>>>>>>> we may not need a new keytab, we may be allowed to use our own
>>>>>>>> credentials through the trust. So we'll need to explore a bit
>>>>>>>> how to properly express that in configuration. REtrieval ok
>>>>>>>> keytabs is then just a matter of running ipa-getkeytab -r on the
>>>>>>>> replica that needs it.
>>>>>>>>
>>>>>>>>> This will be the funny part because in case of AD trusts we have
>>>>>>>>> chicken-egg problem. You need to establish trust to get ticket
>>>>>>>>> for DNS/dc1.ad.example at AD principal but you can't (I guess)
>>>>>>>>> establish trust until proper DNS records are in place ...
>>>>>>>>
>>>>>>>> No, in this case we should create the records at trust
>>>>>>>> establishment time using the admin credentials we have been
>>>>>>>> provided. NO chicken-egg issue.
>>>>>>>
>>>>>>> Sorry, we surely *have* a chicken-egg issue because
>>>>>>> ipa-server-install is completely separate step from from
>>>>>>> ipa-adtrust-install which is completely separate from ipa
>>>>>>> trust-add. (And there is nothing which forces user to establish AD
>>>>>>> trust right after ipa-server-install finished.)
>>>>>>>
>>>>>>> Also, in some cases it is not possible to use the same credentials
>>>>>>> for trust establishment and for DNS updates on AD. Think about
>>>>>>> one-way trust or possibly two-way trust but established using
>>>>>>> pre-shared trust secret (which is AFAIK not usable for kinit).
>>>>>>>
>>>>>>> Alexander, could you clarify if it is possible to create an AD
>>>>>>> trust *without* DNS records for FreeIPA side of the trust?
>>>>>>>
>>>>>>> Another problem is that reliance on AD trusts would effectively
>>>>>>> prevent interoperability with non-AD DNS servers (think Infoblox
>>>>>>> or standard BIND).
>>>>>>>
>>>>>>> I tend to think that we will need to obtain credentials (AD
>>>>>>> login/pass/keytab/TSIG key) as one of ipa-server-install
>>>>>>> parameters so all DNS updates can be done right away. This would
>>>>>>> allow us have ipa-server-install script which in fact produces
>>>>>>> *working* FreeIPA domain. In other cases ipa-server-install would
>>>>>>> end but the FreeIPA domain would not be functional because of
>>>>>>> missing records in DNS.
>>>>>>>
>>>>>>>>> For 'experimental' phase I would go with pre-populated CCcache,
>>>>>>>>> i.e. admin will manually do kinit Administrator at AD and then run
>>>>>>>>> FreeIPA installer.
>>>>>>>>
>>>>>>>> We already to this, so there is no need to invent anything here
>>>>>>>> IMO.
>>>>>>>
>>>>>>> Except for cases mentioned above ...
>>>>>>>
>>>>>>>>> Maybe we can re-use trust secret somehow? I don't know, I will
>>>>>>>>> reach out to AD experts with questions.
>>>>>>>>>
>>>>>>>>> This area needs more research but for now it seems feasible to
>>>>>>>>> re-use DNSSEC key distribution system for TSIG keys and keytabs
>>>>>>>>> so "only" the chicken-egg problem is left.
>>>>>>>>>
>>>>>>>>> This will need new LDAP schema but I will propose something when
>>>>>>>>> I'm done with investigation.
>>>>>>>>
>>>>>>>> Please let me know if you agree with a new zone type as a way to
>>>>>>>> "forward" updates.
>>>>>>>
>>>>>>> Generally I agree, it was my plan too. My main concern is not
>>>>>>> about LDAP structure but about FreeIPA framework and about
>>>>>>> workflow in general. It will be fun to extend the spaghetti code
>>>>>>> we have ...
>>>>>>
>>>>>> Ping :-) I would like to move the discussion forward.
>>>>>>
>>>>>> Alexander, could you please comment on authentication to AD
>>>>>> mentioned above?
>>>>>>
>>>>>> Simo and everybody else, what do you think about client use-case,
>>>>>> i.e. forwarding DNS updates from FreeIPA clients to external DNS
>>>>>> infrastructure? What about security implications (keeping in mind
>>>>>> that TSIG keys are symmetric)?
>>>>>>
>>>>>> Would it be feasible to use FreeIPA server as XML-RPC->DNS proxy
>>>>>> instead of nsupdate command (to hide TSIG key behind FreeIPA)?
>>>>>
>>>>> Remind me this, when a client tries to update the DNS, does it
>>>>> always contact its own DNS server first, or does it try to go
>>>>> straight to the authoritative DNS server?
>>>>
>>>> It should go straight to authoritative servers listed in NS records.
>>>>
>>>>> I do not like the XML-RPC->DNS approach as it requires a special
>>>>> client, leaving out the majority of clients.
>>>>
>>>> Yes, it is an option of last resort (because I don't see a way how to
>>>> be compatible with standard clients, see the point above).
>>>>
>>>>> Also, I am thinking that we only _need_ to set infrastructure
>>>>> relevant names (like IPA servers SRV records), but if someone
>>>>> decides not to use IPA for the DNS we may decide that it is not our
>>>>> responsibility to provide a full end-to-end client dns update
>>>>> solution.
>>>>
>>>> If we can agree on that then I'm fine with it.
>>>
>>> Yes the more I think of it, the more I prefer to wait in trying to
>>> solve the clients problem.
>>>
>>>>> So I would concentrate on making it possible for IPA *Servers* to
>>>>> use a private TSIG key to update infrastructure relevant names, and
>>>>> possibly defer the clients side of the problem.
>>>>
>>>> Speaking about native clients, two-way AD trust should nicely work
>>>> with clients because clients could go straight to the AD and
>>>> authenticate using host keytab from FreeIPA realm. It will not work
>>>> in other cases but it is still better than nothing.
>>>
>>> Yes, this has been accounted for.
>>>  
>>>>> We could use an internal bus on the server to allow the ipa
>>>>> framework to use nsupdate w/o gaining direct access to the TSIG
>>>>> key, this way admins can use ipa dnsrecod-add and friends w/o
>>>>> exposing the key.
>>>>
>>>> I agree with the idea but it depends on an authorization daemon you
>>>> have proposed earlier (in different discussion). Do you see it as
>>>> reasonable goal for FreeIPA 4.2 time-span?
>>>
>>> I wouldn't say a definite no, but I am not confident we can.
>>>
>>>> If the authorization daemon is too far away, would it be okay to
>>>> support external DNS domains only for ipa* installers but do not
>>>> support it for FreeIPA users? (I.e. basically store the key in HSM
>>>> which is not accessible to users - that is what we do with DNSSEC
>>>> keys now.)
>>>
>>> Yes I think it would be fine as a first step.
>>
>> Okay, I tried to summarize current goals on:
>> http://www.freeipa.org/page/V4/External_DNS_integration_with_installer
>>
>> At the moment I see a first obstacle:
>> $ ipa-replica-manage can authenticate to LDAP servers using:
>> - LDAPI (when running as root)
>> - GSSAPI
>> - DM password
>>
>> The problem is that we would need to have access to TSIG keys even when using
>> GSSAPI and DM password authentication ... so we again need the authorization
>> daemon.
>>
>>
>> Alternatively we can use Vault for TSIG key storage and use Vault's capability
>> to share keys among many users. In that case we don't have problem with key
>> distribution nor authorization.
> 
> I am not convinced we should grow Vault dependency for this functionality, it
> requires the whole PKI machinery to be available. Many deployments do not use
> it though.
> 
>> Another possibility is to say that replica-deletion can be done only by root
>> user or that updates to external DNS are supported only when running
>> ipa-replica-manage as root.
> 
> Why does root help? So that TSIG keys will be available on all IPA servers,
> regardless whether they have DNS service running or not?
The point is that we need to store TSIG keys "somewhere" to make them
available to ipa* scripts on all replica but at the same not to human-users.

BTW there don't need to be any 'DNS service' if only external DNS integration
is in use.

> It would be better to have the TSIG keys available using standard FreeIPA RBAC
> roles, i.e. DS ACIs so that privileged users can also use the TSIG. Or am I
> missing anything?

Ideologically - no, it sounds fine.
Technically - the problem is in implementation. We need a mechanism for secure
key distribution *among users*, i.e. Vault-like functionality. I would rather
not re-implement Vault just for external DNS.

I think that external DNS could depend on Vault (assuming that external DNS
support will be purely optional).

DNSSEC key distribution is very different because it distributes keys to
*servers* and there is no ACI mechanism on top of that - all DNS servers need
to know all the keys anyway.

Petr^2 Spacek

> I am also wondering that the design should be friendly to the Topology work
> that Ludwig is working on. I would it up to Simo to evaluate this part though.
> 
>>
>> Other tools (ipa-*install*) should not have this problem because they are
>> running under the root anyway.
>>
>> Ideas are more than welcome!