Hello, this thread is about RFE "IPA servers when installed should register themselves in the external DNS" https://fedorahosted.org/freeipa/ticket/4424
It is not a complete design, just a raw idea. Use case ======== FreeIPA installation to a network with existing DNS infrastructure + network administrator who is not willing to add/maintain new DNS servers "just for FreeIPA". High-level idea =============== - Transform dns* commands from FreeIPA framework to equivalent "nsupdate" commands and send DNS updates to existing DNS servers. - Provide necessary encryption/signing keys to nsupdate. 1) Integration to FreeIPA framework =================================== First of all, we need to decide if "external DNS integration" can be used at the same time with FreeIPA-integrated DNS or not. Side-question is what to do if a first server is installed with external-DNS but another replica is being installed with integrated-DNS and so on. In other words, the question is if current "dns.py" plugin shipped with FreeIPA framework should be: a) Extended dns.py with dnsexternal-* commands ---------------------------------------------- Disadvantages: - It complicate FreeIPA DNS interface which is a complex beast even now. - We would have add condition to every DNS API call in installers which would increase horribleness of the installer code even more (or add another layer of abstraction...). - I don't see a point in using integrated-DNS with external-DNS at the same time. To use integrated-DNS you have to get a proper DNS delegation from parent domain - and if you can get the delegation then there is no point in using external DNS ... Advantages: - You can use external & integrated DNS at the same time. b) Replace dns.py with another implementation of current dnszone-* & dnsrecord-* API. --------------------------------------------------------------------- This seems like a cleaner approach to me. It could be shipped as ipa-server-dns-external package (opposed to "standard" ipa-server-dns package). Advantages: - It could seamlessly work with FreeIPA client installer because the dns*->nsupdate command transformation would be done on FreeIPA server and client doesn't need to know about it. - Does not require re-training/not much new documentation because commands are the same. Disadvantages: - You can't use integrated & external DNS at the same time (but I don't think it justifies the added complexity). Petr^3 or anyone else, what do you propose? 2) Authentication to external DNS server/keys ============================================= This is separate problem from FreeIPA framework integration. We will have to somehow store raw symmetric keys (for DNS TSIG) or keytabs (for DNS GSS-TSIG) and distribute them somehow to replicas so every replica can update DNS records as necessary. This will be the funny part because in case of AD trusts we have chicken-egg problem. You need to establish trust to get ticket for DNS/dc1.ad.example@AD principal but you can't (I guess) establish trust until proper DNS records are in place ... For 'experimental' phase I would go with pre-populated CCcache, i.e. admin will manually do kinit Administrator@AD and then run FreeIPA installer. Maybe we can re-use trust secret somehow? I don't know, I will reach out to AD experts with questions. This area needs more research but for now it seems feasible to re-use DNSSEC key distribution system for TSIG keys and keytabs so "only" the chicken-egg problem is left. This will need new LDAP schema but I will propose something when I'm done with investigation. -- Petr^2 Spacek _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel