[Freeipa-users] DNS views: request for comments
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Tue Oct 1 15:40:27 UTC 2013
On 10/01/2013 09:11 AM, Petr Spacek wrote:
> Hello list,
>
> we would like to get more details about DNS views and how you use them
> in real life. Also, any idea how user a interface should work is more
> than welcome!
>
> (If you don't know views, read it as "differentiate answer to a DNS
> query on client's IP address basics".)
>
>
> Questions are:
> - For what purpose do you use views?
> E.g. handling clients inside/outside of company network (e.g. hiding
> internal names); Selecting nearest server in a big network; Some other
> weird 'Cloud' scenarios etc. etc.
>
> - How many views do you use?
>
> - Do you share some data between views? How did you solve that? Do you
> use some user interface for that?
>
> - Do you use DNS updates? (nsupdate/RFC 2136/RFC 3007)
>
> Previous discussions about DNS views:
> https://www.redhat.com/archives/freeipa-users/2012-April/msg00070.html
> https://www.redhat.com/archives/freeipa-devel/2012-May/msg00208.html
>
> Related tickets & bugs:
> https://fedorahosted.org/freeipa/ticket/2802
> https://bugzilla.redhat.com/show_bug.cgi?id=815621
> https://fedorahosted.org/freeipa/ticket/3725
> https://fedorahosted.org/bind-dyndb-ldap/ticket/69
>
>
> The next step will be to design LDAP schema for DNS data with views ...
>
> I can see three basic options:
>
> 1) Resign from any data sharing, which will make the thing pretty easy :-)
> In that case 'view1' will be represented by one sub-tree in LDAP,
> 'view2' will be another sub-tree etc.
>
> 2) Select one sub-tree which will be 'the base' containing all shared
> records. All other views will inherit and override data from the shared
> 'base'.
>
> 3) Make it as general as possible and allow multiple levels of
> inheritance. View3 inherits from View2 and it inherits from Base.
> (View3 <- View2 <- Base)
>
> It is basically generalized variant (2), but it could require different
> LDAP schema.
>
>
> Please post your opinions!
>
We use split-horizon, or DNS views, very simply. We have an internal
view and an external view.
I am not really sure if I buy into the whole security aspect of views,
however with NAT it seems pointless to publish all of your non routable
records out there in the world. Hence internal and external.
I have spoken with other organizations that have many views ( a view for
the Tokyo office, a view for the Beijing office, etc.), however for the
most part they are all trying to get to a simpler internal and external
only view to save their sanity.
I do share data between views. In my zone I have a common file of all
data that is going to be in both views which is then included in the
respective view files. It just makes it simpler to edit it in one place.
And in fact in our case the common file is the external view as the
internal view only adds entries. If that make sense.
The zones are all dynamic in my case, this just simplifies key
management for DNSSEC as I allow BIND to handle most of the work. So yes
I use DNS updates. However for the most part what I end up doing is
freezing the zone/view editing the file and then thawing the zone/view.
However, my needs are very modest.
Views and DNSSEC are the only two reasons why I don't use the integrated
DNS that is part of IPA. Y'all fix these two and you got me :).
I can't speak much for the LDAP layout, y'all are better than me in that
regard. But the above is my general usage scenario.
-Erinn
More information about the Freeipa-users
mailing list