[Freeipa-devel] How to support Designate?

Wed Jul 8 15:10:34 UTC 2015

On 07/08/2015 04:31 AM, Petr Spacek wrote:
> On 1.7.2015 17:12, Rich Megginson wrote:
>> On 07/01/2015 09:10 AM, Petr Spacek wrote:
>>> On 1.7.2015 16:43, Rich Megginson wrote:
>>>> How much work would it be to support IPA as an AXFR/IXFR client or server with
>>>> Designate?  Right now, their miniDNS component only supports being a master
>>>> and sending updates via AXFR, but they have IXFR support planned.
>>> I need to read more about it. Could you please point me to some comprehensive
>>> docs about Designate?
>>>
>>> Thanks!
>>>
>> http://docs.openstack.org/developer/designate/architecture.html
> Designate in setups with mini-DNS acts as DNS master server, i.e. the only
> source of DNS data/truth. Currently FreeIPA can act only as master, too, which
> is not possible.

By "master" do you mean "unable to accept AXFR/IXFR from another server"?

>
> I can see several alternatives:
>
> A) Add support for slave zones to FreeIPA.
> It should be relatively easy and I guess doable in Fedora 23 time frame if it
> gets appropriate priority.
>
> For plain/insecure DNS zones it will allow us to use FreeIPA in place of any
> other DNS server but the added value will be negligible because FreeIPA acting
> as a slave cannot change the data.
>
> The real added value could be the ability of FreeIPA to DNSSEC-sign zones and
> do the DNSSEC key management. I believe that we should be able to re-use
> machinery we implemented for master zones in FreeIPA so DNSSEC signing for
> slave zones should be almost 'for free'.
>
> When implemented, FreeIPA could become the easiest way how to secure DNS in
> Designate with DNSSEC technology even in cases where all the data are managed
> by Designate API.

This sounds interesting.  This seems like it would fit in with the 
typical OpenStack use case - create a new host, assign it a hostname in 
a sub-zone.

>
>
> B) We can avoid implementing slave zones by using 'agent':
> http://docs.openstack.org/developer/designate/glossary.html
>
> If I'm not mistaken, this is what you implemented last year.

I implemented support in Designate for a FreeIPA backend which used the 
JSON HTTPS API to send updates from Designate to FreeIPA.
Designate has deprecated support for backends.

The agent approach is basically putting a "mini-DNS"-like daemon on each 
system which can accept AXFR from Designate.  This agent would then use 
the backend code I developed to send the data to FreeIPA.

>
>
> C) We can say that combining FreeIPA DNS and Designate does not make sense and
> drop what you did last year.

It was already dropped when the backend approach was deprecated.

> In current architecture it really does not add
> any value *unless* we add DNSSEC to the mix.
>
>
> D) Integrate IPA installers with Designate API.
> This is somehow complementary to variants A (and C) and would allow us to
> automatically add DNS records required by FreeIPA to Designate during FreeIPA
> installation and replica management.

I wrote a script (ipaextractor.py) that will extract DNS data from 
FreeIPA and store it in Designate.  That would be a good place to start.

>
>
> In my opinion variants A+D are the best way to move forward. What do you think?
>

If we could change Designate in some way to work better with FreeIPA, 
what would you propose?