[Freeipa-devel] FreeIPA integration with external DNS services
Petr Spacek
pspacek at redhat.com
Thu Dec 11 09:43:02 UTC 2014
On 10.12.2014 18:50, Simo Sorce wrote:
> On Wed, 10 Dec 2014 15:13:30 +0100
> Petr Spacek <pspacek at redhat.com> wrote:
>
>> I think that external DNS could depend on Vault (assuming that
>> external DNS support will be purely optional).
>
> TBH, I do not think this is a sensible option, the Vault will drag huge
> dependencies for now, and I would like to avoid that if all we need is
> to add a couple of A/SRV records to an external DNS.
>
> If we can't come up with a service, I think I am ok telling admins they
> need to manually copy the TKEY (or use puppet or other similar
> configuration manager to push the key file around) on each replica, and
> we defer automatic distribution of TKEYs.
>
> We will have a service that can give out keys, it is identified as
> necessary in the replica promotion proposal, so we'll eventually get
> there.
Thank you for discussion. Now I would like to know in which direction are we
heading with external DNS support :-)
I have to admit that I don't understand why we are spending time on Vault and
at the same time we refuse to use it ...
Anyway, someone competent has to decide if we want to implement external DNS
support and:
- defer key distribution for now
- use Vault
- re-invent Vault and use that new cool thing
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list