[Freeipa-devel] FreeIPA integration with external DNS services

Wed Dec 10 14:50:23 UTC 2014

On 12/10/2014 03:13 PM, Petr Spacek wrote:
> On 9.12.2014 13:40, Martin Kosek wrote:
>> On 12/03/2014 05:04 PM, Petr Spacek wrote:
>>> On 2.12.2014 17:21, Simo Sorce wrote:
>>>> On Tue, 02 Dec 2014 15:56:28 +0100
>>>> Petr Spacek <pspacek at redhat.com> wrote:
>>>>
>>>>> On 1.12.2014 17:12, Simo Sorce wrote:
>>>>>> On Mon, 01 Dec 2014 16:17:54 +0100
>>>>>> Petr Spacek <pspacek at redhat.com> wrote:
>>>>>>
>>>>>>> On 14.11.2014 17:31, Petr Spacek wrote:
>>>>>>>> On 14.11.2014 02:22, Simo Sorce wrote:
>>>>>>>>> On Tue, 11 Nov 2014 16:29:51 +0100
>>>>>>>>> Petr Spacek <pspacek at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> this thread is about RFE
>>>>>>>>>> "IPA servers when installed should register themselves in the
>>>>>>>>>> external DNS" https://fedorahosted.org/freeipa/ticket/4424
>>>>>>>>>>
>>>>>>>>>> It is not a complete design, just a raw idea.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Use case
>>>>>>>>>> ========
>>>>>>>>>> FreeIPA installation to a network with existing DNS
>>>>>>>>>> infrastructure + network administrator who is not willing to
>>>>>>>>>> add/maintain new DNS servers "just for FreeIPA".
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> High-level idea
>>>>>>>>>> ===============
>>>>>>>>>> - Transform dns* commands from FreeIPA framework to equivalent
>>>>>>>>>> "nsupdate" commands and send DNS updates to existing DNS
>>>>>>>>>> servers.
>>>>>>>>>> - Provide necessary encryption/signing keys to nsupdate.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 1) Integration to FreeIPA framework
>>>>>>>>>> ===================================
>>>>>>>>>> First of all, we need to decide if "external DNS integration"
>>>>>>>>>> can be used at the same time with FreeIPA-integrated DNS or not.
>>>>>>>>>> Side-question is what to do if a first server is installed with
>>>>>>>>>> external-DNS but another replica is being installed with
>>>>>>>>>> integrated-DNS and so on.
>>>>>>>>>
>>>>>>>>> I think being able to integrate with an external DNS is
>>>>>>>>> important, and not just at the server level, being able to
>>>>>>>>> distribute TSIG keys to client would be nice too, though a lot
>>>>>>>>> less important, than getting server integration..
>>>>>>>>
>>>>>>>> Using TSIG on many clients is very problematic. Keep in mind that
>>>>>>>> TSIG is basically HMAC computed using symmetric key so:
>>>>>>>> a) Every client would have to use the same key - this is a
>>>>>>>> security nightmare. b) We would have to distribute and maintain
>>>>>>>> many keys for many^2 clients, which is an administrative
>>>>>>>> nightmare.
>>>>>>>>
>>>>>>>> For *clients* I would rather stay with GSS-TSIG which is much more
>>>>>>>> manageable because we can use Kerberos trust and Keytab
>>>>>>>> distribution is already solved by ipa-client-install.
>>>>>>>>
>>>>>>>> Alternative for clients would be to use FreeIPA server as proxy
>>>>>>>> which encapsulates TSIG keys and issues update requests on behalf
>>>>>>>> of clients. This would be FreeIPA-specific but any
>>>>>>>> TSIG-distribution mechanism will be FreeIPA-specific anyway.
>>>>>>>>
>>>>>>>> TSIG standard explicitly says that there is no standardized
>>>>>>>> distribution mechanism.
>>>>>>>>
>>>>>>>>>> In other words, the question is if current "dns.py" plugin
>>>>>>>>>> shipped with FreeIPA framework should be:
>>>>>>>>>>
>>>>>>>>>> a) Extended dns.py with dnsexternal-* commands
>>>>>>>>>> ----------------------------------------------
>>>>>>>>>> Disadvantages:
>>>>>>>>>> - It complicate FreeIPA DNS interface which is a complex beast
>>>>>>>>>> even now.
>>>>>>>>>> - We would have add condition to every DNS API call in
>>>>>>>>>> installers which would increase horribleness of the installer
>>>>>>>>>> code even more (or add another layer of abstraction...).
>>>>>>>>>
>>>>>>>>> I agree having a special command is undesirable.
>>>>>>>>>>
>>>>>>>>>> - I don't see a point in using integrated-DNS with external-DNS
>>>>>>>>>> at the same time. To use integrated-DNS you have to get a
>>>>>>>>>> proper DNS delegation from parent domain - and if you can get
>>>>>>>>>> the delegation then there is no point in using external DNS ...
>>>>>>>>>
>>>>>>>>> I disagree on this point, it makes a lot of sense to have some
>>>>>>>>> zones maintained by IPA and ... some not.
>>>>>>>>>
>>>>>>>>>> Advantages:
>>>>>>>>>> - You can use external & integrated DNS at the same time.
>>>>>>>>>
>>>>>>>>> We can achieve the same w/o a new ipa level command.
>>>>>>>>
>>>>>>>> This needs to be decided by FreeIPA framework experts ...
>>>>>>>>
>>>>>>>> Petr^3 came up with clever 'proxy' idea for IPA-commands. This
>>>>>>>> proxy would provide all ipa dns* commands and dispatch user-issued
>>>>>>>> commands to appropriate FreeIPA-plugin (internal-dns or
>>>>>>>> external-dns). This decision could depend on some values in LDAP.
>>>>>>>>
>>>>>>>>>> b) Replace dns.py with another implementation of current
>>>>>>>>>> dnszone-* & dnsrecord-* API.
>>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>> This seems like a cleaner approach to me. It could be shipped as
>>>>>>>>>> ipa-server-dns-external package (opposed to "standard"
>>>>>>>>>> ipa-server-dns package).
>>>>>>>>>>
>>>>>>>>>> Advantages:
>>>>>>>>>> - It could seamlessly work with FreeIPA client installer because
>>>>>>>>>> the dns*->nsupdate command transformation would be done on
>>>>>>>>>> FreeIPA server and client doesn't need to know about it.
>>>>>>>>>> - Does not require re-training/not much new documentation
>>>>>>>>>> because commands are the same.
>>>>>>>>>>
>>>>>>>>>> Disadvantages:
>>>>>>>>>> - You can't use integrated & external DNS at the same time (but
>>>>>>>>>> I don't think it justifies the added complexity).
>>>>>>>>>
>>>>>>>>> I disagree.
>>>>>>>>>
>>>>>>>>> One of the reason to use a mix is to allow smooth migrations
>>>>>>>>> where zones are moved into (or out of) IPA one by one.
>>>>>>>>
>>>>>>>> Good point, I agree. I will focus on supporting both (internal and
>>>>>>>> external) DNS at the same time.
>>>>>>>>
>>>>>>>>>> Petr^3 or anyone else, what do you propose?
>>>>>>>>>
>>>>>>>>> I think what I'd like to see is to be able to configure a DNS
>>>>>>>>> zone in LDAP and mark it external.
>>>>>>>>> The zone would held the TSIG keys necessary to perform DNS
>>>>>>>>> updates.
>>>>>>>>>
>>>>>>>>> When the regular ipa dnsrecord-add etc... commands are called,
>>>>>>>>> the framework detects that the zone is "external", fewttches the
>>>>>>>>> TSIG key (if the user has access to it) and spawn an nsupdate
>>>>>>>>> command that will perform the update against whatever DNS server
>>>>>>>>> is authoritative for the zone.
>>>>>>>>>
>>>>>>>>> Some commands may be disabled if the zone is external and
>>>>>>>>> appropriate errors would be returned.
>>>>>>>>
>>>>>>>> Correct, this will be inevitable.
>>>>>>>>
>>>>>>>>>> 2) Authentication to external DNS server/keys
>>>>>>>>>> =============================================
>>>>>>>>>> This is separate problem from FreeIPA framework integration.
>>>>>>>>>> We will have to somehow store raw symmetric keys (for DNS TSIG)
>>>>>>>>>> or keytabs (for DNS GSS-TSIG) and distribute them somehow to
>>>>>>>>>> replicas so every replica can update DNS records as necessary.
>>>>>>>>>
>>>>>>>>> For TSIG keys I think we should just store them in a LDAP record,
>>>>>>>>> see above.
>>>>>>>>
>>>>>>>> Without any encryption? Am I missing something?
>>>>>>>>
>>>>>>>>> For keytabs we can simply store them just like any  other
>>>>>>>>> kerberos key if we really need it (in a trust case for example,
>>>>>>>>> we may not need a new keytab, we may be allowed to use our own
>>>>>>>>> credentials through the trust. So we'll need to explore a bit
>>>>>>>>> how to properly express that in configuration. REtrieval ok
>>>>>>>>> keytabs is then just a matter of running ipa-getkeytab -r on the
>>>>>>>>> replica that needs it.
>>>>>>>>>
>>>>>>>>>> This will be the funny part because in case of AD trusts we have
>>>>>>>>>> chicken-egg problem. You need to establish trust to get ticket
>>>>>>>>>> for DNS/dc1.ad.example at AD principal but you can't (I guess)
>>>>>>>>>> establish trust until proper DNS records are in place ...
>>>>>>>>>
>>>>>>>>> No, in this case we should create the records at trust
>>>>>>>>> establishment time using the admin credentials we have been
>>>>>>>>> provided. NO chicken-egg issue.
>>>>>>>>
>>>>>>>> Sorry, we surely *have* a chicken-egg issue because
>>>>>>>> ipa-server-install is completely separate step from from
>>>>>>>> ipa-adtrust-install which is completely separate from ipa
>>>>>>>> trust-add. (And there is nothing which forces user to establish AD
>>>>>>>> trust right after ipa-server-install finished.)
>>>>>>>>
>>>>>>>> Also, in some cases it is not possible to use the same credentials
>>>>>>>> for trust establishment and for DNS updates on AD. Think about
>>>>>>>> one-way trust or possibly two-way trust but established using
>>>>>>>> pre-shared trust secret (which is AFAIK not usable for kinit).
>>>>>>>>
>>>>>>>> Alexander, could you clarify if it is possible to create an AD
>>>>>>>> trust *without* DNS records for FreeIPA side of the trust?
>>>>>>>>
>>>>>>>> Another problem is that reliance on AD trusts would effectively
>>>>>>>> prevent interoperability with non-AD DNS servers (think Infoblox
>>>>>>>> or standard BIND).
>>>>>>>>
>>>>>>>> I tend to think that we will need to obtain credentials (AD
>>>>>>>> login/pass/keytab/TSIG key) as one of ipa-server-install
>>>>>>>> parameters so all DNS updates can be done right away. This would
>>>>>>>> allow us have ipa-server-install script which in fact produces
>>>>>>>> *working* FreeIPA domain. In other cases ipa-server-install would
>>>>>>>> end but the FreeIPA domain would not be functional because of
>>>>>>>> missing records in DNS.
>>>>>>>>
>>>>>>>>>> For 'experimental' phase I would go with pre-populated CCcache,
>>>>>>>>>> i.e. admin will manually do kinit Administrator at AD and then run
>>>>>>>>>> FreeIPA installer.
>>>>>>>>>
>>>>>>>>> We already to this, so there is no need to invent anything here
>>>>>>>>> IMO.
>>>>>>>>
>>>>>>>> Except for cases mentioned above ...
>>>>>>>>
>>>>>>>>>> Maybe we can re-use trust secret somehow? I don't know, I will
>>>>>>>>>> reach out to AD experts with questions.
>>>>>>>>>>
>>>>>>>>>> This area needs more research but for now it seems feasible to
>>>>>>>>>> re-use DNSSEC key distribution system for TSIG keys and keytabs
>>>>>>>>>> so "only" the chicken-egg problem is left.
>>>>>>>>>>
>>>>>>>>>> This will need new LDAP schema but I will propose something when
>>>>>>>>>> I'm done with investigation.
>>>>>>>>>
>>>>>>>>> Please let me know if you agree with a new zone type as a way to
>>>>>>>>> "forward" updates.
>>>>>>>>
>>>>>>>> Generally I agree, it was my plan too. My main concern is not
>>>>>>>> about LDAP structure but about FreeIPA framework and about
>>>>>>>> workflow in general. It will be fun to extend the spaghetti code
>>>>>>>> we have ...
>>>>>>>
>>>>>>> Ping :-) I would like to move the discussion forward.
>>>>>>>
>>>>>>> Alexander, could you please comment on authentication to AD
>>>>>>> mentioned above?
>>>>>>>
>>>>>>> Simo and everybody else, what do you think about client use-case,
>>>>>>> i.e. forwarding DNS updates from FreeIPA clients to external DNS
>>>>>>> infrastructure? What about security implications (keeping in mind
>>>>>>> that TSIG keys are symmetric)?
>>>>>>>
>>>>>>> Would it be feasible to use FreeIPA server as XML-RPC->DNS proxy
>>>>>>> instead of nsupdate command (to hide TSIG key behind FreeIPA)?
>>>>>>
>>>>>> Remind me this, when a client tries to update the DNS, does it
>>>>>> always contact its own DNS server first, or does it try to go
>>>>>> straight to the authoritative DNS server?
>>>>>
>>>>> It should go straight to authoritative servers listed in NS records.
>>>>>
>>>>>> I do not like the XML-RPC->DNS approach as it requires a special
>>>>>> client, leaving out the majority of clients.
>>>>>
>>>>> Yes, it is an option of last resort (because I don't see a way how to
>>>>> be compatible with standard clients, see the point above).
>>>>>
>>>>>> Also, I am thinking that we only _need_ to set infrastructure
>>>>>> relevant names (like IPA servers SRV records), but if someone
>>>>>> decides not to use IPA for the DNS we may decide that it is not our
>>>>>> responsibility to provide a full end-to-end client dns update
>>>>>> solution.
>>>>>
>>>>> If we can agree on that then I'm fine with it.
>>>>
>>>> Yes the more I think of it, the more I prefer to wait in trying to
>>>> solve the clients problem.
>>>>
>>>>>> So I would concentrate on making it possible for IPA *Servers* to
>>>>>> use a private TSIG key to update infrastructure relevant names, and
>>>>>> possibly defer the clients side of the problem.
>>>>>
>>>>> Speaking about native clients, two-way AD trust should nicely work
>>>>> with clients because clients could go straight to the AD and
>>>>> authenticate using host keytab from FreeIPA realm. It will not work
>>>>> in other cases but it is still better than nothing.
>>>>
>>>> Yes, this has been accounted for.
>>>>  
>>>>>> We could use an internal bus on the server to allow the ipa
>>>>>> framework to use nsupdate w/o gaining direct access to the TSIG
>>>>>> key, this way admins can use ipa dnsrecod-add and friends w/o
>>>>>> exposing the key.
>>>>>
>>>>> I agree with the idea but it depends on an authorization daemon you
>>>>> have proposed earlier (in different discussion). Do you see it as
>>>>> reasonable goal for FreeIPA 4.2 time-span?
>>>>
>>>> I wouldn't say a definite no, but I am not confident we can.
>>>>
>>>>> If the authorization daemon is too far away, would it be okay to
>>>>> support external DNS domains only for ipa* installers but do not
>>>>> support it for FreeIPA users? (I.e. basically store the key in HSM
>>>>> which is not accessible to users - that is what we do with DNSSEC
>>>>> keys now.)
>>>>
>>>> Yes I think it would be fine as a first step.
>>>
>>> Okay, I tried to summarize current goals on:
>>> http://www.freeipa.org/page/V4/External_DNS_integration_with_installer
>>>
>>> At the moment I see a first obstacle:
>>> $ ipa-replica-manage can authenticate to LDAP servers using:
>>> - LDAPI (when running as root)
>>> - GSSAPI
>>> - DM password
>>>
>>> The problem is that we would need to have access to TSIG keys even when using
>>> GSSAPI and DM password authentication ... so we again need the authorization
>>> daemon.
>>>
>>>
>>> Alternatively we can use Vault for TSIG key storage and use Vault's capability
>>> to share keys among many users. In that case we don't have problem with key
>>> distribution nor authorization.
>>
>> I am not convinced we should grow Vault dependency for this functionality, it
>> requires the whole PKI machinery to be available. Many deployments do not use
>> it though.
>>
>>> Another possibility is to say that replica-deletion can be done only by root
>>> user or that updates to external DNS are supported only when running
>>> ipa-replica-manage as root.
>>
>> Why does root help? So that TSIG keys will be available on all IPA servers,
>> regardless whether they have DNS service running or not?
> The point is that we need to store TSIG keys "somewhere" to make them
> available to ipa* scripts on all replica but at the same not to human-users.
> 
> BTW there don't need to be any 'DNS service' if only external DNS integration
> is in use.
> 
>> It would be better to have the TSIG keys available using standard FreeIPA RBAC
>> roles, i.e. DS ACIs so that privileged users can also use the TSIG. Or am I
>> missing anything?
> 
> Ideologically - no, it sounds fine.
> Technically - the problem is in implementation. We need a mechanism for secure
> key distribution *among users*, i.e. Vault-like functionality. I would rather
> not re-implement Vault just for external DNS.
> 
> I think that external DNS could depend on Vault (assuming that external DNS
> support will be purely optional).
> 
> DNSSEC key distribution is very different because it distributes keys to
> *servers* and there is no ACI mechanism on top of that - all DNS servers need
> to know all the keys anyway.

So IIUC, the goal would be to put TSIG keys in the Vault and then make them
available for all IPA servers?

I am now not sure if the Vault as proposed can easily select a group of
principals to allow reading the Vault or if it is only confined for the
owner/user principal. We would need to ask Endi (CCed).