On 12/11/2014 03:05 PM, Simo Sorce wrote: > On Thu, 11 Dec 2014 10:43:02 +0100 > Petr Spacek <pspa...@redhat.com> wrote: > >> On 10.12.2014 18:50, Simo Sorce wrote: >>> On Wed, 10 Dec 2014 15:13:30 +0100 >>> Petr Spacek <pspa...@redhat.com> wrote: >>> >>>> I think that external DNS could depend on Vault (assuming that >>>> external DNS support will be purely optional). >>> >>> TBH, I do not think this is a sensible option, the Vault will drag >>> huge dependencies for now, and I would like to avoid that if all we >>> need is to add a couple of A/SRV records to an external DNS. >>> >>> If we can't come up with a service, I think I am ok telling admins >>> they need to manually copy the TKEY (or use puppet or other similar >>> configuration manager to push the key file around) on each replica, >>> and we defer automatic distribution of TKEYs. >>> >>> We will have a service that can give out keys, it is identified as >>> necessary in the replica promotion proposal, so we'll eventually get >>> there. >> >> Thank you for discussion. Now I would like to know in which direction >> are we heading with external DNS support :-) >> >> I have to admit that I don't understand why we are spending time on >> Vault and at the same time we refuse to use it ... >> >> Anyway, someone competent has to decide if we want to implement >> external DNS support and: >> - defer key distribution for now > > I vote for deferring for now. > > Simo.
+1, we can defer until we have the Simo's KISS service from replica promotion work: http://www.freeipa.org/page/V4/Replica_Promotion#Key_Interchange_Security_Service_.28KISS.29 Same as Simo, I would also rather avoid the dependency on PKI&Vault for this base infrastructure feature orthogonal to FreeIPA PKI. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel