On 10/01/2013 09:11 AM, Petr Spacek wrote:
Hello list,

we would like to get more details about DNS views and how you use them
in real life. Also, any idea how user a interface should work is more
than welcome!

(If you don't know views, read it as "differentiate answer to a DNS
query on client's IP address basics".)


Questions are:
- For what purpose do you use views?
E.g. handling clients inside/outside of company network (e.g. hiding
internal names); Selecting nearest server in a big network; Some other
weird 'Cloud' scenarios etc. etc.

- How many views do you use?

- Do you share some data between views? How did you solve that? Do you
use some user interface for that?

- Do you use DNS updates? (nsupdate/RFC 2136/RFC 3007)

Previous discussions about DNS views:
https://www.redhat.com/archives/freeipa-users/2012-April/msg00070.html
https://www.redhat.com/archives/freeipa-devel/2012-May/msg00208.html

Related tickets & bugs:
https://fedorahosted.org/freeipa/ticket/2802
https://bugzilla.redhat.com/show_bug.cgi?id=815621
https://fedorahosted.org/freeipa/ticket/3725
https://fedorahosted.org/bind-dyndb-ldap/ticket/69


The next step will be to design LDAP schema for DNS data with views ...

I can see three basic options:

1) Resign from any data sharing, which will make the thing pretty easy :-)
In that case 'view1' will be represented by one sub-tree in LDAP,
'view2' will be another sub-tree etc.

2) Select one sub-tree which will be 'the base' containing all shared
records. All other views will inherit and override data from the shared
'base'.

3) Make it as general as possible and allow multiple levels of
inheritance. View3 inherits from View2 and it inherits from Base.
(View3 <- View2 <- Base)

It is basically generalized variant (2), but it could require different
LDAP schema.


Please post your opinions!


We use split-horizon, or DNS views, very simply. We have an internal view and an external view.

I am not really sure if I buy into the whole security aspect of views, however with NAT it seems pointless to publish all of your non routable records out there in the world. Hence internal and external.

I have spoken with other organizations that have many views ( a view for the Tokyo office, a view for the Beijing office, etc.), however for the most part they are all trying to get to a simpler internal and external only view to save their sanity.

I do share data between views. In my zone I have a common file of all data that is going to be in both views which is then included in the respective view files. It just makes it simpler to edit it in one place. And in fact in our case the common file is the external view as the internal view only adds entries. If that make sense.

The zones are all dynamic in my case, this just simplifies key management for DNSSEC as I allow BIND to handle most of the work. So yes I use DNS updates. However for the most part what I end up doing is freezing the zone/view editing the file and then thawing the zone/view. However, my needs are very modest.

Views and DNSSEC are the only two reasons why I don't use the integrated DNS that is part of IPA. Y'all fix these two and you got me :).

I can't speak much for the LDAP layout, y'all are better than me in that regard. But the above is my general usage scenario.

-Erinn

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to