On 07/08/2015 04:31 AM, Petr Spacek wrote:
On 1.7.2015 17:12, Rich Megginson wrote:
On 07/01/2015 09:10 AM, Petr Spacek wrote:
On 1.7.2015 16:43, Rich Megginson wrote:
How much work would it be to support IPA as an AXFR/IXFR client or server with
Designate?  Right now, their miniDNS component only supports being a master
and sending updates via AXFR, but they have IXFR support planned.
I need to read more about it. Could you please point me to some comprehensive
docs about Designate?


Designate in setups with mini-DNS acts as DNS master server, i.e. the only
source of DNS data/truth. Currently FreeIPA can act only as master, too, which
is not possible.

By "master" do you mean "unable to accept AXFR/IXFR from another server"?

I can see several alternatives:

A) Add support for slave zones to FreeIPA.
It should be relatively easy and I guess doable in Fedora 23 time frame if it
gets appropriate priority.

For plain/insecure DNS zones it will allow us to use FreeIPA in place of any
other DNS server but the added value will be negligible because FreeIPA acting
as a slave cannot change the data.

The real added value could be the ability of FreeIPA to DNSSEC-sign zones and
do the DNSSEC key management. I believe that we should be able to re-use
machinery we implemented for master zones in FreeIPA so DNSSEC signing for
slave zones should be almost 'for free'.

When implemented, FreeIPA could become the easiest way how to secure DNS in
Designate with DNSSEC technology even in cases where all the data are managed
by Designate API.

This sounds interesting. This seems like it would fit in with the typical OpenStack use case - create a new host, assign it a hostname in a sub-zone.

B) We can avoid implementing slave zones by using 'agent':

If I'm not mistaken, this is what you implemented last year.

I implemented support in Designate for a FreeIPA backend which used the JSON HTTPS API to send updates from Designate to FreeIPA.
Designate has deprecated support for backends.

The agent approach is basically putting a "mini-DNS"-like daemon on each system which can accept AXFR from Designate. This agent would then use the backend code I developed to send the data to FreeIPA.

C) We can say that combining FreeIPA DNS and Designate does not make sense and
drop what you did last year.

It was already dropped when the backend approach was deprecated.

In current architecture it really does not add
any value *unless* we add DNSSEC to the mix.

D) Integrate IPA installers with Designate API.
This is somehow complementary to variants A (and C) and would allow us to
automatically add DNS records required by FreeIPA to Designate during FreeIPA
installation and replica management.

I wrote a script (ipaextractor.py) that will extract DNS data from FreeIPA and store it in Designate. That would be a good place to start.

In my opinion variants A+D are the best way to move forward. What do you think?

If we could change Designate in some way to work better with FreeIPA, what would you propose?

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to