[Freeipa-devel] FreeIPA integration with external DNS services
Simo Sorce
simo at redhat.com
Thu Dec 11 14:05:04 UTC 2014
On Thu, 11 Dec 2014 10:43:02 +0100
Petr Spacek <pspacek at redhat.com> wrote:
> On 10.12.2014 18:50, Simo Sorce wrote:
> > On Wed, 10 Dec 2014 15:13:30 +0100
> > Petr Spacek <pspacek at redhat.com> wrote:
> >
> >> I think that external DNS could depend on Vault (assuming that
> >> external DNS support will be purely optional).
> >
> > TBH, I do not think this is a sensible option, the Vault will drag
> > huge dependencies for now, and I would like to avoid that if all we
> > need is to add a couple of A/SRV records to an external DNS.
> >
> > If we can't come up with a service, I think I am ok telling admins
> > they need to manually copy the TKEY (or use puppet or other similar
> > configuration manager to push the key file around) on each replica,
> > and we defer automatic distribution of TKEYs.
> >
> > We will have a service that can give out keys, it is identified as
> > necessary in the replica promotion proposal, so we'll eventually get
> > there.
>
> Thank you for discussion. Now I would like to know in which direction
> are we heading with external DNS support :-)
>
> I have to admit that I don't understand why we are spending time on
> Vault and at the same time we refuse to use it ...
>
> Anyway, someone competent has to decide if we want to implement
> external DNS support and:
> - defer key distribution for now
I vote for deferring for now.
Simo.
> - use Vault
> - re-invent Vault and use that new cool thing
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list