[Freeipa-devel] FreeIPA integration with external DNS services

Simo Sorce simo at redhat.com
Fri Dec 12 15:49:46 UTC 2014 

On Fri, 12 Dec 2014 10:20:28 +0100
Jan Cholasta <jcholast at redhat.com> wrote:

> Hi,
> 
> Dne 1.12.2014 v 17:12 Simo Sorce napsal(a):
> > On Mon, 01 Dec 2014 16:17:54 +0100
> > Petr Spacek <pspacek at redhat.com> wrote:
> >
> >> On 14.11.2014 17:31, Petr Spacek wrote:
> >>> On 14.11.2014 02:22, Simo Sorce wrote:
> >>>> I think what I'd like to see is to be able to configure a DNS
> >>>> zone in LDAP and mark it external.
> >>>> The zone would held the TSIG keys necessary to perform DNS
> >>>> updates.
> >>>>
> >>>> When the regular ipa dnsrecord-add etc... commands are called,
> >>>> the framework detects that the zone is "external", fewttches the
> >>>> TSIG key (if the user has access to it) and spawn an nsupdate
> >>>> command that will perform the update against whatever DNS server
> >>>> is authoritative for the zone.
> 
> >> Would it be feasible to use FreeIPA server as XML-RPC->DNS proxy
> >> instead of nsupdate command (to hide TSIG key behind FreeIPA)?
> 
> > I do not like the XML-RPC->DNS approach as it requires a special
> > client, leaving out the majority of clients.
> 
> I'm confused. Above you have suggested hiding the nsupdate machinery 
> behind the framework and now you are saying that you do not like the 
> XML-RPC->DNS approach. But the framework talks XML-RPC (and JSON-RPC) 
> and using *anything else* would require a special client. Or did you 
> mean some other XML-RPC->DNS?

I do not like XML-RPC -> DNS for when clients need to update the DNS.
For the FreeIPA server itself or the manager working through the
framework it is just fine of course, but then it is an internal detail.


> > Also, I am thinking that we only _need_ to set infrastructure
> > relevant names (like IPA servers SRV records), but if someone
> > decides not to use IPA for the DNS we may decide that it is not our
> > responsibility to provide a full end-to-end client dns update
> > solution.
> >
> > So I would concentrate on making it possible for IPA *Servers* to
> > use a private TSIG key to update infrastructure relevant names, and
> > possibly defer the clients side of the problem.
> >
> > We could use an internal bus on the server to allow the ipa
> > framework to use nsupdate w/o gaining direct access to the TSIG
> > key, this way admins can use ipa dnsrecod-add and friends w/o
> > exposing the key.
> 
> +1, we had a short discussion about external DNS with Petr yesterday
> and reached the same conclusion.

Nice :)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list