[Freeipa-devel] FreeIPA integration with external DNS services
Martin Kosek
mkosek at redhat.com
Thu Dec 11 14:36:55 UTC 2014
On 12/11/2014 03:05 PM, Simo Sorce wrote:
> On Thu, 11 Dec 2014 10:43:02 +0100
> Petr Spacek <pspacek at redhat.com> wrote:
>
>> On 10.12.2014 18:50, Simo Sorce wrote:
>>> On Wed, 10 Dec 2014 15:13:30 +0100
>>> Petr Spacek <pspacek at redhat.com> wrote:
>>>
>>>> I think that external DNS could depend on Vault (assuming that
>>>> external DNS support will be purely optional).
>>>
>>> TBH, I do not think this is a sensible option, the Vault will drag
>>> huge dependencies for now, and I would like to avoid that if all we
>>> need is to add a couple of A/SRV records to an external DNS.
>>>
>>> If we can't come up with a service, I think I am ok telling admins
>>> they need to manually copy the TKEY (or use puppet or other similar
>>> configuration manager to push the key file around) on each replica,
>>> and we defer automatic distribution of TKEYs.
>>>
>>> We will have a service that can give out keys, it is identified as
>>> necessary in the replica promotion proposal, so we'll eventually get
>>> there.
>>
>> Thank you for discussion. Now I would like to know in which direction
>> are we heading with external DNS support :-)
>>
>> I have to admit that I don't understand why we are spending time on
>> Vault and at the same time we refuse to use it ...
>>
>> Anyway, someone competent has to decide if we want to implement
>> external DNS support and:
>> - defer key distribution for now
>
> I vote for deferring for now.
>
> Simo.
+1, we can defer until we have the Simo's KISS service from replica promotion work:
http://www.freeipa.org/page/V4/Replica_Promotion#Key_Interchange_Security_Service_.28KISS.29
Same as Simo, I would also rather avoid the dependency on PKI&Vault for this
base infrastructure feature orthogonal to FreeIPA PKI.
Martin
More information about the Freeipa-devel
mailing list