[Freeipa-users] DNS views: request for comments

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Tue Oct 1 15:40:27 UTC 2013 

On 10/01/2013 09:11 AM, Petr Spacek wrote:
> Hello list,
>
> we would like to get more details about DNS views and how you use them
> in real life. Also, any idea how user a interface should work is more
> than welcome!
>
> (If you don't know views, read it as "differentiate answer to a DNS
> query on client's IP address basics".)
>
>
> Questions are:
> - For what purpose do you use views?
> E.g. handling clients inside/outside of company network (e.g. hiding
> internal names); Selecting nearest server in a big network; Some other
> weird 'Cloud' scenarios etc. etc.
>
> - How many views do you use?
>
> - Do you share some data between views? How did you solve that? Do you
> use some user interface for that?
>
> - Do you use DNS updates? (nsupdate/RFC 2136/RFC 3007)
>
> Previous discussions about DNS views:
> https://www.redhat.com/archives/freeipa-users/2012-April/msg00070.html
> https://www.redhat.com/archives/freeipa-devel/2012-May/msg00208.html
>
> Related tickets & bugs:
> https://fedorahosted.org/freeipa/ticket/2802
> https://bugzilla.redhat.com/show_bug.cgi?id=815621
> https://fedorahosted.org/freeipa/ticket/3725
> https://fedorahosted.org/bind-dyndb-ldap/ticket/69
>
>
> The next step will be to design LDAP schema for DNS data with views ...
>
> I can see three basic options:
>
> 1) Resign from any data sharing, which will make the thing pretty easy :-)
> In that case 'view1' will be represented by one sub-tree in LDAP,
> 'view2' will be another sub-tree etc.
>
> 2) Select one sub-tree which will be 'the base' containing all shared
> records. All other views will inherit and override data from the shared
> 'base'.
>
> 3) Make it as general as possible and allow multiple levels of
> inheritance. View3 inherits from View2 and it inherits from Base.
> (View3 <- View2 <- Base)
>
> It is basically generalized variant (2), but it could require different
> LDAP schema.
>
>
> Please post your opinions!
>

We use split-horizon, or DNS views, very simply. We have an internal 
view and an external view.

I am not really sure if I buy into the whole security aspect of views, 
however with NAT it seems pointless to publish all of your non routable 
records out there in the world. Hence internal and external.

I have spoken with other organizations that have many views ( a view for 
the Tokyo office, a view for the Beijing office, etc.), however for the 
most part they are all trying to get to a simpler internal and external 
only view to save their sanity.

I do share data between views. In my zone I have a common file of all 
data that is going to be in both views which is then included in the 
respective view files. It just makes it simpler to edit it in one place. 
And in fact in our case the common file is the external view as the 
internal view only adds entries. If that make sense.

The zones are all dynamic in my case, this just simplifies key 
management for DNSSEC as I allow BIND to handle most of the work. So yes 
I use DNS updates. However for the most part what I end up doing is 
freezing the zone/view editing the file and then thawing the zone/view. 
However, my needs are very modest.

Views and DNSSEC are the only two reasons why I don't use the integrated 
DNS that is part of IPA. Y'all fix these two and you got me :).

I can't speak much for the LDAP layout, y'all are better than me in that 
regard. But the above is my general usage scenario.

-Erinn

More information about the Freeipa-users mailing list