#4424 [RFE] IPA servers when installed should register themselves in the external DNS
Opened 9 years ago by dpal. Modified 6 years ago

When IPA is installed in the environment managed by some other DNS server and IPA DNS is not used then IPA should update its DNS entries in this external DNS during installation.

This is what Simo suggested on the matter:

We should make IPA servers send update requests to create/store SRV/TXT/other
records needed by FreeIPA itself to a separate DNS infrastructure. This is
missing. The framework can use TSIG (not necessarily GSS-TSIG) updates to a different DNS server when replicas are added/removed/changed.


BTW AD doesn't support plain TSIG, only GSS-TSIG. IMHO GSS-TSIG support would be very good start. I think that technically we could re-use replica keytab in case where IPA-AD trust is in place so we don't need to invent any new mechanism for credential storage etc.

In IPA-AD case we simply need hooks in IPA installer to run the update with local keytab.

Some time ago I was proposing second variant of "DNS plugin" (for IPA framework) which would do normal RFC 2136/3007 updates instead of writing to LDAP. That would eliminate need to add hacks and various hooks to IPA installers.

We should also check what other DNS vendors use. It was mentioned that his feature might need to be inter-operable with Infoblox.

This is technically duplicate of older #3701 but I will close the older ticket because this is formulated more broadly.

Making Petr as a feature owner for now, this could be a good target after DNSSEC efforts.

Worked on by pspacek.

We do not have the secret sharing mechanism ready yet, so this is unlikely to happen this release. Moving to the next one.

#5620 will make implementation of this ticket easier.

Proper integration with external DNS will require proper name->zone mapping.

Metadata Update from @dpal:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.5 backlog

6 years ago

Metadata Update from @mbasti:
- Assignee reset

6 years ago

Metadata Update from @mbasti:
- Issue assigned to mbasti

6 years ago

Metadata Update from @mbasti:
- Assignee reset

6 years ago

Login to comment on this ticket.

Metadata