On Thu, 2011-09-15 at 10:26 +0200, Adam Tkac wrote:
> On 09/14/2011 06:18 PM, Martin Kosek wrote:
> > Attached in the txt file. If you have any comments or suggestions to
> > this proposal, please let me know.
> >
> > https://fedorahosted.org/freeipa/ticket/1766
> Your proposal seems fine for me. However I would recommend not to expose 
> routines for managing DNSSEC related records because DNSSEC is currently 
> not supported in the bind-dyndb-ldap. This doesn't mean you should 
> remove code which handles those records, just don't expose them to 
> users, please. Routines can be reused in future, when we decide how to 
> handle DNSSEC in FreeIPA.
> I checked the "dnsrecord-<rrtype>-add" list below and DNSSEC related 
> records are DS, KEY, NSEC, RRSIG, SIG.
> Regards, Adam

Since we don't know how DNSSEC records will be handled, I would rather
don't implement the methods now and then reimplement them.

When I was implementing DNS validators in patch 120 I noticed we provide
API to add many RR types that are not supported via bind-dyndb-ldap at
all. Any attempt to add them ends with missing LDAP schema attribute

Since the new API is targeted for new FreeIPA major release I wouldn't
be afraid to remove all these RR types from our API (they don't work

This applies to these RR types: APL, DHCID, DLV, DNSKEY, HIP, IPSECKEY,

IMO, we should then add there RR types _only_ when they are supported by


Freeipa-devel mailing list

Reply via email to