Hi
I noticed there is an ipa-dns-install which seems to be useful if you didn't ipa-server-install --setup-dns (i'm assuming they're equivalent). Once you do this, it changes the webui look slightly by adding a DNS section, and requiring --force when adding hosts if you don't specify an ip. (afaict)
There is also ipa-server-install --uninstall which removes everything. It would be particularly useful to have a similarly named ipa-dns-install --uninstall to remove just the DNS part without requiring a full reinstall.
I am requesting this feature so that the ipa-puppet module (which I am currently working on) will be able to enable and disable dns, with the flip of a flag. Currently it can only enable it. Is this feature essential? No, but it would be nice. I imagine it would probably be pretty easy to add.
If you'd like to make the ipa-puppet module better, ipa needs to be patched to support this.
Cheers, James
Hello James, what exactly should the uninstaller do in your opinion? Uninstall DNS service on given host? Note that the DNS tree in IPA LDAP would be still there (as the host where you remove DNS data does not have to be the only host that uses it) so the Web UI would still show the DNS tab.
DNS service is crutial for any network and for IPA infrastructure as well. So careless removal of DNS service or data could create a lot of grief, so I am just being careful here.
Hi mkosek,
Well, pragmatically speaking, it should probably do the opposite of whatever the dns install command does, however I'm not sure of everything that happens. I'm not yet comfortable enough with the internals to know everything that's going on, so perhaps my comments are wrong.
Functionally I know that installing with --setup-dns (versus not) changes the look of IPA and to a certain extent, it's behaviour. In particular, I noticed the --force behaviour as I had mentioned above. This causes at least a little gotcha in my puppet module, but I'm able to work around it.
I also opened: https://fedorahosted.org/freeipa/ticket/3725 which relates to DNS. So far with only a few weeks of using IPA, I like it quite a lot, however something feels a bit awkward when it comes to the DNS parts.
I'll be publishing the first parts of my puppet module shortly, so if you're comfortable with that sort of code you're welcome to have a look and try and see what I mean. I was having trouble working out how DNS settings should get glued together. I got the feeling once that similar to how there are ipa-host and ipa-x commands, there could even be a separate ipa-dns system, instead of tacking it on to host(?) But I'd have to think more on it. It would probably make sense to review my other ticket and see if they relate.
I agree about DNS being crucial, however it's also crucial to let the admin tell ipa dns to step out of the way if needed. Without the multiview changes I proposed, I see DNS being useful with IPA for small setups, but done separately for anything more complex.
Feel free to write me here, by email or IRC if I can be helpful in some way.
ipa-dns-install creates a container in LDAP and pre-populates it with a forward (and optionally reverse) zone.
To reverse that would be to delete data, is that what you're suggesting?
The tab (and dns commands) key on the existence of the DNS container. That can change, but right now there is no enable/disable option.
I don't know why someone would want to turn a DNS server on or off though. From a client perspective, if you don't want to use the IPA DNS server, then don't configure resolv.conf to point to it.
This request seems to have the merit of completeness but not much beside it. Deleting data once it is in there does not seem like something we want to do. Enabling DNS is sort of one way ticket. You either do not configure it or if configured but you do not need it you do not use it. I suggest we put this ticket in deferred bucket and if there is someone who wants to contribute enable/disable DNS functionality we will consider it. But for now it seems like a very low priority requirement.
Replying to [comment:5 dpal]:
I definitely agree about the low priority requirement. To cause data deletion maybe a --delete flag would need to be added on to the --uninstall ?
In any case, as promised, I've published a first version of my puppet-ipa module: https://github.com/purpleidea/puppet-ipa
Metadata Update from @purpleidea: - Issue assigned to someone - Issue set to the milestone: Tickets Deferred
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.