On Thu, 2011-09-15 at 10:26 +0200, Adam Tkac wrote:
> On 09/14/2011 06:18 PM, Martin Kosek wrote:
> > Attached in the txt file. If you have any comments or suggestions to
> > this proposal, please let me know.
> >
> > https://fedorahosted.org/freeipa/ticket/1766
> 
> Your proposal seems fine for me. However I would recommend not to expose 
> routines for managing DNSSEC related records because DNSSEC is currently 
> not supported in the bind-dyndb-ldap. This doesn't mean you should 
> remove code which handles those records, just don't expose them to 
> users, please. Routines can be reused in future, when we decide how to 
> handle DNSSEC in FreeIPA.
> 
> I checked the "dnsrecord-<rrtype>-add" list below and DNSSEC related 
> records are DS, KEY, NSEC, RRSIG, SIG.
> 
> Regards, Adam

Since we don't know how DNSSEC records will be handled, I would rather
don't implement the methods now and then reimplement them.

When I was implementing DNS validators in patch 120 I noticed we provide
API to add many RR types that are not supported via bind-dyndb-ldap at
all. Any attempt to add them ends with missing LDAP schema attribute
error.

Since the new API is targeted for new FreeIPA major release I wouldn't
be afraid to remove all these RR types from our API (they don't work
anyway).

This applies to these RR types: APL, DHCID, DLV, DNSKEY, HIP, IPSECKEY,
NSEC3, NSEC3PARAM, RP, TA, TKEY, TSIG.

IMO, we should then add there RR types _only_ when they are supported by
bind-dyndb-ldap.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to