[Freeipa-devel] How to support Designate?
Rich Megginson
rmeggins at redhat.com
Wed Jul 8 18:45:11 UTC 2015
On 07/08/2015 11:56 AM, Rich Megginson wrote:
> On 07/08/2015 10:11 AM, Petr Spacek wrote:
>> On 8.7.2015 17:10, Rich Megginson wrote:
>>> On 07/08/2015 04:31 AM, Petr Spacek wrote:
>>>> On 1.7.2015 17:12, Rich Megginson wrote:
>>>>> On 07/01/2015 09:10 AM, Petr Spacek wrote:
>>>>>> On 1.7.2015 16:43, Rich Megginson wrote:
>>>>>>> How much work would it be to support IPA as an AXFR/IXFR client
>>>>>>> or server
>>>>>>> with
>>>>>>> Designate? Right now, their miniDNS component only supports
>>>>>>> being a master
>>>>>>> and sending updates via AXFR, but they have IXFR support planned.
>>>>>> I need to read more about it. Could you please point me to some
>>>>>> comprehensive
>>>>>> docs about Designate?
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>> http://docs.openstack.org/developer/designate/architecture.html
>>>> Designate in setups with mini-DNS acts as DNS master server, i.e.
>>>> the only
>>>> source of DNS data/truth. Currently FreeIPA can act only as master,
>>>> too, which
>>>> is not possible.
>>> By "master" do you mean "unable to accept AXFR/IXFR from another
>>> server"?
>> Sort of. DNS is conceptually built around concept of single
>> authoritative
>> database hosted on Primary Master server. The database is then
>> transferred
>> using AXFR to Slave servers, which are read-only (and can forward update
>> requests to the Primary Master).
>>
>> See http://tools.ietf.org/html/rfc2136#section-1
>>
>> The Primary Master server is the place where changes are made. There
>> is by
>> definition only one primary master server per zone, so FreeIPA and
>> Designare
>> cannot be Primary Masters at the same time.
>>
>> We need to decide who is going to have control over the data.
>>
>>>> I can see several alternatives:
>>>>
>>>> A) Add support for slave zones to FreeIPA.
>>>> It should be relatively easy and I guess doable in Fedora 23 time
>>>> frame if it
>>>> gets appropriate priority.
>>>>
>>>> For plain/insecure DNS zones it will allow us to use FreeIPA in
>>>> place of any
>>>> other DNS server but the added value will be negligible because
>>>> FreeIPA acting
>>>> as a slave cannot change the data.
>>>>
>>>> The real added value could be the ability of FreeIPA to DNSSEC-sign
>>>> zones and
>>>> do the DNSSEC key management. I believe that we should be able to
>>>> re-use
>>>> machinery we implemented for master zones in FreeIPA so DNSSEC
>>>> signing for
>>>> slave zones should be almost 'for free'.
>>>>
>>>> When implemented, FreeIPA could become the easiest way how to
>>>> secure DNS in
>>>> Designate with DNSSEC technology even in cases where all the data
>>>> are managed
>>>> by Designate API.
>>> This sounds interesting. This seems like it would fit in with the
>>> typical
>>> OpenStack use case - create a new host, assign it a hostname in a
>>> sub-zone.
>> To be sure we understood each other:
>> In the scenarios where FreeIPA acts as Slave server, the change is
>> done in
>> Designate and then a new version of the DNS zone is transferred to
>> FreeIPA.
>> After that FreeIPA can DNSSEC-sign the zone and serve the signed
>> version to
>> the clients.
>>
>>
>>>> B) We can avoid implementing slave zones by using 'agent':
>>>> http://docs.openstack.org/developer/designate/glossary.html
>>>>
>>>> If I'm not mistaken, this is what you implemented last year.
>>> I implemented support in Designate for a FreeIPA backend which used
>>> the JSON
>>> HTTPS API to send updates from Designate to FreeIPA.
>>> Designate has deprecated support for backends.
>>>
>>> The agent approach is basically putting a "mini-DNS"-like daemon on
>>> each
>>> system which can accept AXFR from Designate. This agent would then
>>> use the
>>> backend code I developed to send the data to FreeIPA.
>> Wow, that is a lot of complexity. I suspect that something like this is
>> already implemented in dnssyncd written by Martin Basti:
>> https://github.com/bastiak/dnssyncd
How does this work? Does it receive zone transfer (AXFR? IXFR?) from a
DNS master, then update LDAP with those records?
>>
>> Anyway, I do not see any value in doing so in this particular scenario.
>> Designate would be the authoritative source of data (Primary Master)
>> so from
>> functional point of view it would be the same (or worse) than variant
>> (A),
>> just with more code and more error prone.
>>
>>
>>>> C) We can say that combining FreeIPA DNS and Designate does not
>>>> make sense and
>>>> drop what you did last year.
>>> It was already dropped when the backend approach was deprecated.
>>>
>>>> In current architecture it really does not add
>>>> any value *unless* we add DNSSEC to the mix.
>>>>
>>>>
>>>> D) Integrate IPA installers with Designate API.
>>>> This is somehow complementary to variants A (and C) and would allow
>>>> us to
>>>> automatically add DNS records required by FreeIPA to Designate
>>>> during FreeIPA
>>>> installation and replica management.
>>> I wrote a script (ipaextractor.py) that will extract DNS data from
>>> FreeIPA and
>>> store it in Designate. That would be a good place to start.
>> Generally FreeIPA should integrate with other DNS server
>> implementations in a
>> way similar to this:
>> https://fedorahosted.org/freeipa/ticket/4424
>> http://www.freeipa.org/page/V4/External_DNS_integration_with_installer
>>
>> Hopefully 4.3 timeframe will allow us to work on that.
>>
>>>> In my opinion variants A+D are the best way to move forward. What
>>>> do you think?
>>>>
>>> If we could change Designate in some way to work better with
>>> FreeIPA, what
>>> would you propose?
>> How much can we change? :-D I liked the original architecture where
>> Designate
>> just 'proxied' change requests to DNS implementations/backends.
>
> Me too, but we didn't/don't have much say in the direction/design that
> Designate takes . . .
>
>>
>> Assuming that Designate wants to own DNS and be Primary Master, it
>> would be
>> awesome if they could support standard DNS UPDATE protocol (RFC 2136)
>> alongside their own JSON API.
>>
>> The JSON API is superset of DNS UPDATE protocol because it allows to
>> add zones
>> but still, standard protocol would mean that standard client
>> (possibly guest
>> OS inside VM) can update its records without any OpenStack
>> dependency, which
>> is very much desirable.
>>
>> The use case here is to allow the guest OS to publish it's SSH key
>> (which was
>> generated inside the VM after first boot) to prevent Man in the middle
>> attacks. The same goes for all other sorts of DANE/DNSSEC data or
>> service
>> discovery using DNS, where a guest/container running a distributed
>> service can
>> publish it's existence in DNS.
>>
>> DNS UPDATE supports GSS(API) for authentication via RFC 3007 and that is
>> widely supported, too.
>>
>> So DNS UPDATE is my biggest wish :-)
>>
> Ok. There was a Designate blueprint for such a feature, but I can't
> find it and neither can the Designate guys. There is a mention of
> nsupdate in the minidns blueprint, but that's about it. The fact that
> Designate upstream can't find the bp suggests that this is not a high
> priority for them and will not likely implement it on their own i.e.
> we would have to contribute this feature.
>
> If Designate had such a feature, how would this help us integrate
> FreeIPA with Designate?
>
>
More information about the Freeipa-devel
mailing list