On Thu, 11 Dec 2014 10:43:02 +0100 Petr Spacek <pspa...@redhat.com> wrote:
> On 10.12.2014 18:50, Simo Sorce wrote: > > On Wed, 10 Dec 2014 15:13:30 +0100 > > Petr Spacek <pspa...@redhat.com> wrote: > > > >> I think that external DNS could depend on Vault (assuming that > >> external DNS support will be purely optional). > > > > TBH, I do not think this is a sensible option, the Vault will drag > > huge dependencies for now, and I would like to avoid that if all we > > need is to add a couple of A/SRV records to an external DNS. > > > > If we can't come up with a service, I think I am ok telling admins > > they need to manually copy the TKEY (or use puppet or other similar > > configuration manager to push the key file around) on each replica, > > and we defer automatic distribution of TKEYs. > > > > We will have a service that can give out keys, it is identified as > > necessary in the replica promotion proposal, so we'll eventually get > > there. > > Thank you for discussion. Now I would like to know in which direction > are we heading with external DNS support :-) > > I have to admit that I don't understand why we are spending time on > Vault and at the same time we refuse to use it ... > > Anyway, someone competent has to decide if we want to implement > external DNS support and: > - defer key distribution for now I vote for deferring for now. Simo. > - use Vault > - re-invent Vault and use that new cool thing > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel