[Freeipa-devel] FreeIPA integration with external DNS services

Tue Nov 11 15:29:51 UTC 2014

Hello,

this thread is about RFE
"IPA servers when installed should register themselves in the external DNS"
https://fedorahosted.org/freeipa/ticket/4424

It is not a complete design, just a raw idea.

Use case
========
FreeIPA installation to a network with existing DNS infrastructure + network
administrator who is not willing to add/maintain new DNS servers "just for
FreeIPA".

High-level idea
===============
- Transform dns* commands from FreeIPA framework to equivalent "nsupdate"
commands and send DNS updates to existing DNS servers.
- Provide necessary encryption/signing keys to nsupdate.

1) Integration to FreeIPA framework
===================================
First of all, we need to decide if "external DNS integration" can be used at
the same time with FreeIPA-integrated DNS or not. Side-question is what to do
if a first server is installed with external-DNS but another replica is being
installed with integrated-DNS and so on.

In other words, the question is if current "dns.py" plugin shipped with
FreeIPA framework should be:

a) Extended dns.py with dnsexternal-* commands
----------------------------------------------
Disadvantages:
- It complicate FreeIPA DNS interface which is a complex beast even now.
- We would have add condition to every DNS API call in installers which would
increase horribleness of the installer code even more (or add another layer of
abstraction...).
- I don't see a point in using integrated-DNS with external-DNS at the same
time. To use integrated-DNS you have to get a proper DNS delegation from
parent domain - and if you can get the delegation then there is no point in
using external DNS ...

Advantages:
- You can use external & integrated DNS at the same time.

b) Replace dns.py with another implementation of current dnszone-* &
dnsrecord-* API.
---------------------------------------------------------------------
This seems like a cleaner approach to me. It could be shipped as
ipa-server-dns-external package (opposed to "standard" ipa-server-dns package).

Advantages:
- It could seamlessly work with FreeIPA client installer because the
dns*->nsupdate command transformation would be done on FreeIPA server and
client doesn't need to know about it.
- Does not require re-training/not much new documentation because commands are
the same.

Disadvantages:
- You can't use integrated & external DNS at the same time (but I don't think
it justifies the added complexity).

Petr^3 or anyone else, what do you propose?

2) Authentication to external DNS server/keys
=============================================
This is separate problem from FreeIPA framework integration.
We will have to somehow store raw symmetric keys (for DNS TSIG) or keytabs
(for DNS GSS-TSIG) and distribute them somehow to replicas so every replica
can update DNS records as necessary.

This will be the funny part because in case of AD trusts we have chicken-egg
problem. You need to establish trust to get ticket for DNS/dc1.ad.example at AD
principal but you can't (I guess) establish trust until proper DNS records are
in place ...

For 'experimental' phase I would go with pre-populated CCcache, i.e. admin
will manually do kinit Administrator at AD and then run FreeIPA installer.

Maybe we can re-use trust secret somehow? I don't know, I will reach out to AD
experts with questions.

This area needs more research but for now it seems feasible to re-use DNSSEC
key distribution system for TSIG keys and keytabs so "only" the chicken-egg
problem is left.

This will need new LDAP schema but I will propose something when I'm done with
investigation.

-- 
Petr^2 Spacek