On 09/16/2011 09:51 AM, Martin Kosek wrote:
On Thu, 2011-09-15 at 10:26 +0200, Adam Tkac wrote:

Your proposal seems fine for me. However I would recommend not to expose
routines for managing DNSSEC related records because DNSSEC is currently
not supported in the bind-dyndb-ldap. This doesn't mean you should
remove code which handles those records, just don't expose them to
users, please. Routines can be reused in future, when we decide how to
handle DNSSEC in FreeIPA.

I checked the "dnsrecord-<rrtype>-add" list below and DNSSEC related
records are DS, KEY, NSEC, RRSIG, SIG.

Regards, Adam
Since we don't know how DNSSEC records will be handled, I would rather
don't implement the methods now and then reimplement them.

When I was implementing DNS validators in patch 120 I noticed we provide
API to add many RR types that are not supported via bind-dyndb-ldap at
all. Any attempt to add them ends with missing LDAP schema attribute
error.

Since the new API is targeted for new FreeIPA major release I wouldn't
be afraid to remove all these RR types from our API (they don't work
anyway).

This applies to these RR types: APL, DHCID, DLV, DNSKEY, HIP, IPSECKEY,
NSEC3, NSEC3PARAM, RP, TA, TKEY, TSIG.

IMO, we should then add there RR types _only_ when they are supported by
bind-dyndb-ldap.
Ack, this is the best for now.

Regards, Adam

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to