On 09/14/2011 06:18 PM, Martin Kosek wrote:
Attached in the txt file. If you have any comments or suggestions to
this proposal, please let me know.


Your proposal seems fine for me. However I would recommend not to expose routines for managing DNSSEC related records because DNSSEC is currently not supported in the bind-dyndb-ldap. This doesn't mean you should remove code which handles those records, just don't expose them to users, please. Routines can be reused in future, when we decide how to handle DNSSEC in FreeIPA.

I checked the "dnsrecord-<rrtype>-add" list below and DNSSEC related records are DS, KEY, NSEC, RRSIG, SIG.

Regards, Adam



This is a proposal for API for per-DNS-type interface in FreeIPA.

There are many structured DNS RR types where DNS data is not just an IP address 
or a domain name, but a (often complex) data structure. Example of adding a 
structured DNS RR (LOC in this case):

ipa dnsrecord-add example.com @ --loc-rec "49 11 42.4 N 16 36 29.6 E 227.64m"

It may be difficult to enter such DNS record to FreeIPA without making error 
(which would lead to invalid zone in this case). For this reason, I have 
created at least basic validators in my patch 120 (ticket 1106).

Create API useful for both CLI and WebUI capable of creating these structured 
DNS types

ipa dnsrecord-add    Add new DNS resource record.
ipa dnsrecord-del    Delete DNS resource record.
ipa dnsrecord-find   Search for DNS resources.
ipa dnsrecord-mod    Modify a DNS resource record.
ipa dnsrecord-show   Display DNS resource.

Proposed API for all supported structured DNS follows:

ipa dnsrecord-afsdb-add --subtype=INT --hostname=STR
ipa dnsrecord-cert-add --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR
ipa dnsrecord-ds-add --tag=INT --algorithm=ENUM --type=ENUM --digest=STR
ipa dnsrecord-key-add --flags=LIST --protocol=INT --algorithm=ENUM --digest=STR
ipa dnsrecord-kx-add --preference=INT --exchanger=STR
ipa dnsrecord-loc-add --lat-deg=INT --lat-min=INT --lat-sec=FLOAT 
--lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM 
--alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT
ipa dnsrecord-mx-add --priority=INT --mailserver=STR
ipa dnsrecord-nsec-add --next=STR --types=LIST
ipa dnsrecord-naptr-add --order=INT --preference=INT --flag=ENUM --service=STR 
--regexp=STR --replacement=STR
ipa dnsrecord-sig-add --type=ENUM --algorithm=ENUM --labels=INT 
--original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT 
--signer=STR --signature=STR
ipa dnsrecord-srv-add --priority=INT --weight=INT --port=INT --target=STR
ipa dnsrecord-sshfp-add --algorithm=ENUM --type=ENUM --fingerprint=STR
ipa dnsrecord-rrsig-add  --type=ENUM --algorithm=ENUM --labels=INT 
--original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT 
--signer=STR --signature=STR

To support also modification of current records (i.e. replacement) we can add a 
"mod" equivalent, e.g.:
ipa dnsrecord-afsdb-mod --subtype=INT --hostname=STR
ipa dnsrecord-cert-mod --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR

I think this is what WebUI guys will want.

The available options for particular RR types will be based on RFC research I 
have already done for my patch 120. Lets see how the API will look.

1) LOC record example noted in the begging:

ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-min=11 --lat-sec=42.4 
--lat-dir=N --lon-deg=16 --lon-min=36 --lon-sec=29.6 --lon-dir=E --alt=227.64

Good thing about options is that we can divide then to mandatory and optional 
and provide defaults. In this case, one can enter imprecise LOC record with:

ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-dir=N --lon-deg=16 

2) Another example with CERT RR type:

ipa dnsrecord-add example.com foo --cert-rec="1 0 5 

ipa dnsrecord-cert-add example.com foo --type=PKIX --tag=0 --algorithm=RSASHA1 

Freeipa-devel mailing list

Freeipa-devel mailing list

Reply via email to