[Freeipa-devel] FreeIPA integration with external DNS services

Jan Cholasta jcholast at redhat.com
Fri Dec 12 09:20:28 UTC 2014 

Hi,

Dne 1.12.2014 v 17:12 Simo Sorce napsal(a):
> On Mon, 01 Dec 2014 16:17:54 +0100
> Petr Spacek <pspacek at redhat.com> wrote:
>
>> On 14.11.2014 17:31, Petr Spacek wrote:
>>> On 14.11.2014 02:22, Simo Sorce wrote:
>>>> I think what I'd like to see is to be able to configure a DNS zone
>>>> in LDAP and mark it external.
>>>> The zone would held the TSIG keys necessary to perform DNS updates.
>>>>
>>>> When the regular ipa dnsrecord-add etc... commands are called, the
>>>> framework detects that the zone is "external", fewttches the TSIG
>>>> key (if the user has access to it) and spawn an nsupdate command
>>>> that will perform the update against whatever DNS server is
>>>> authoritative for the zone.

>> Would it be feasible to use FreeIPA server as XML-RPC->DNS proxy
>> instead of nsupdate command (to hide TSIG key behind FreeIPA)?

> I do not like the XML-RPC->DNS approach as it requires a special
> client, leaving out the majority of clients.

I'm confused. Above you have suggested hiding the nsupdate machinery 
behind the framework and now you are saying that you do not like the 
XML-RPC->DNS approach. But the framework talks XML-RPC (and JSON-RPC) 
and using *anything else* would require a special client. Or did you 
mean some other XML-RPC->DNS?

>
> Also, I am thinking that we only _need_ to set infrastructure relevant
> names (like IPA servers SRV records), but if someone decides not to use
> IPA for the DNS we may decide that it is not our responsibility to
> provide a full end-to-end client dns update solution.
>
> So I would concentrate on making it possible for IPA *Servers* to use a
> private TSIG key to update infrastructure relevant names, and possibly
> defer the clients side of the problem.
>
> We could use an internal bus on the server to allow the ipa framework
> to use nsupdate w/o gaining direct access to the TSIG key, this way
> admins can use ipa dnsrecod-add and friends w/o exposing the key.

+1, we had a short discussion about external DNS with Petr yesterday and 
reached the same conclusion.

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list