On 09/14/2011 06:18 PM, Martin Kosek wrote:
Attached in the txt file. If you have any comments or suggestions to
this proposal, please let me know.
https://fedorahosted.org/freeipa/ticket/1766
Your proposal seems fine for me. However I would recommend not to expose
routines for managing DNSSEC related records because DNSSEC is currently
not supported in the bind-dyndb-ldap. This doesn't mean you should
remove code which handles those records, just don't expose them to
users, please. Routines can be reused in future, when we decide how to
handle DNSSEC in FreeIPA.
I checked the "dnsrecord-<rrtype>-add" list below and DNSSEC related
records are DS, KEY, NSEC, RRSIG, SIG.
Regards, Adam
new-dns-api.txt
https://fedorahosted.org/freeipa/ticket/1766
This is a proposal for API for per-DNS-type interface in FreeIPA.
There are many structured DNS RR types where DNS data is not just an IP address
or a domain name, but a (often complex) data structure. Example of adding a
structured DNS RR (LOC in this case):
ipa dnsrecord-add example.com @ --loc-rec "49 11 42.4 N 16 36 29.6 E 227.64m"
It may be difficult to enter such DNS record to FreeIPA without making error
(which would lead to invalid zone in this case). For this reason, I have
created at least basic validators in my patch 120 (ticket 1106).
GOAL:
Create API useful for both CLI and WebUI capable of creating these structured
DNS types
CURRENT API:
ipa dnsrecord-add Add new DNS resource record.
ipa dnsrecord-del Delete DNS resource record.
ipa dnsrecord-find Search for DNS resources.
ipa dnsrecord-mod Modify a DNS resource record.
ipa dnsrecord-show Display DNS resource.
PROPOSED API IMPROVEMENT:
Proposed API for all supported structured DNS follows:
ipa dnsrecord-afsdb-add --subtype=INT --hostname=STR
ipa dnsrecord-cert-add --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR
ipa dnsrecord-ds-add --tag=INT --algorithm=ENUM --type=ENUM --digest=STR
ipa dnsrecord-key-add --flags=LIST --protocol=INT --algorithm=ENUM --digest=STR
ipa dnsrecord-kx-add --preference=INT --exchanger=STR
ipa dnsrecord-loc-add --lat-deg=INT --lat-min=INT --lat-sec=FLOAT
--lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM
--alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT
ipa dnsrecord-mx-add --priority=INT --mailserver=STR
ipa dnsrecord-nsec-add --next=STR --types=LIST
ipa dnsrecord-naptr-add --order=INT --preference=INT --flag=ENUM --service=STR
--regexp=STR --replacement=STR
ipa dnsrecord-sig-add --type=ENUM --algorithm=ENUM --labels=INT
--original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT
--signer=STR --signature=STR
ipa dnsrecord-srv-add --priority=INT --weight=INT --port=INT --target=STR
ipa dnsrecord-sshfp-add --algorithm=ENUM --type=ENUM --fingerprint=STR
ipa dnsrecord-rrsig-add --type=ENUM --algorithm=ENUM --labels=INT
--original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT
--signer=STR --signature=STR
To support also modification of current records (i.e. replacement) we can add a
"mod" equivalent, e.g.:
ipa dnsrecord-afsdb-mod --subtype=INT --hostname=STR
ipa dnsrecord-cert-mod --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR
...
I think this is what WebUI guys will want.
EXAMPLE OF OPTIONS:
The available options for particular RR types will be based on RFC research I
have already done for my patch 120. Lets see how the API will look.
1) LOC record example noted in the begging:
ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-min=11 --lat-sec=42.4
--lat-dir=N --lon-deg=16 --lon-min=36 --lon-sec=29.6 --lon-dir=E --alt=227.64
Good thing about options is that we can divide then to mandatory and optional
and provide defaults. In this case, one can enter imprecise LOC record with:
ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-dir=N --lon-deg=16
--lon-dir=E
2) Another example with CERT RR type:
CURRENT API:
ipa dnsrecord-add example.com foo --cert-rec="1 0 5
MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG"
NEW API:
ipa dnsrecord-cert-add example.com foo --type=PKIX --tag=0 --algorithm=RSASHA1
--certificate=MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG"
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
