[Freeipa-devel] FreeIPA integration with external DNS services
Petr Spacek
pspacek at redhat.com
Tue Nov 11 15:29:51 UTC 2014
Hello,
this thread is about RFE
"IPA servers when installed should register themselves in the external DNS"
https://fedorahosted.org/freeipa/ticket/4424
It is not a complete design, just a raw idea.
Use case
========
FreeIPA installation to a network with existing DNS infrastructure + network
administrator who is not willing to add/maintain new DNS servers "just for
FreeIPA".
High-level idea
===============
- Transform dns* commands from FreeIPA framework to equivalent "nsupdate"
commands and send DNS updates to existing DNS servers.
- Provide necessary encryption/signing keys to nsupdate.
1) Integration to FreeIPA framework
===================================
First of all, we need to decide if "external DNS integration" can be used at
the same time with FreeIPA-integrated DNS or not. Side-question is what to do
if a first server is installed with external-DNS but another replica is being
installed with integrated-DNS and so on.
In other words, the question is if current "dns.py" plugin shipped with
FreeIPA framework should be:
a) Extended dns.py with dnsexternal-* commands
----------------------------------------------
Disadvantages:
- It complicate FreeIPA DNS interface which is a complex beast even now.
- We would have add condition to every DNS API call in installers which would
increase horribleness of the installer code even more (or add another layer of
abstraction...).
- I don't see a point in using integrated-DNS with external-DNS at the same
time. To use integrated-DNS you have to get a proper DNS delegation from
parent domain - and if you can get the delegation then there is no point in
using external DNS ...
Advantages:
- You can use external & integrated DNS at the same time.
b) Replace dns.py with another implementation of current dnszone-* &
dnsrecord-* API.
---------------------------------------------------------------------
This seems like a cleaner approach to me. It could be shipped as
ipa-server-dns-external package (opposed to "standard" ipa-server-dns package).
Advantages:
- It could seamlessly work with FreeIPA client installer because the
dns*->nsupdate command transformation would be done on FreeIPA server and
client doesn't need to know about it.
- Does not require re-training/not much new documentation because commands are
the same.
Disadvantages:
- You can't use integrated & external DNS at the same time (but I don't think
it justifies the added complexity).
Petr^3 or anyone else, what do you propose?
2) Authentication to external DNS server/keys
=============================================
This is separate problem from FreeIPA framework integration.
We will have to somehow store raw symmetric keys (for DNS TSIG) or keytabs
(for DNS GSS-TSIG) and distribute them somehow to replicas so every replica
can update DNS records as necessary.
This will be the funny part because in case of AD trusts we have chicken-egg
problem. You need to establish trust to get ticket for DNS/dc1.ad.example at AD
principal but you can't (I guess) establish trust until proper DNS records are
in place ...
For 'experimental' phase I would go with pre-populated CCcache, i.e. admin
will manually do kinit Administrator at AD and then run FreeIPA installer.
Maybe we can re-use trust secret somehow? I don't know, I will reach out to AD
experts with questions.
This area needs more research but for now it seems feasible to re-use DNSSEC
key distribution system for TSIG keys and keytabs so "only" the chicken-egg
problem is left.
This will need new LDAP schema but I will propose something when I'm done with
investigation.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list