[Freeipa-devel] Structured DNS record API proposal

Martin Kosek mkosek at redhat.com
Wed Sep 14 16:18:40 UTC 2011


Attached in the txt file. If you have any comments or suggestions to
this proposal, please let me know.

https://fedorahosted.org/freeipa/ticket/1766
-------------- next part --------------
https://fedorahosted.org/freeipa/ticket/1766

This is a proposal for API for per-DNS-type interface in FreeIPA.

There are many structured DNS RR types where DNS data is not just an IP address or a domain name, but a (often complex) data structure. Example of adding a structured DNS RR (LOC in this case):

ipa dnsrecord-add example.com @ --loc-rec "49 11 42.4 N 16 36 29.6 E 227.64m"

It may be difficult to enter such DNS record to FreeIPA without making error (which would lead to invalid zone in this case). For this reason, I have created at least basic validators in my patch 120 (ticket 1106).

GOAL:
Create API useful for both CLI and WebUI capable of creating these structured DNS types

CURRENT API:
ipa dnsrecord-add    Add new DNS resource record.
ipa dnsrecord-del    Delete DNS resource record.
ipa dnsrecord-find   Search for DNS resources.
ipa dnsrecord-mod    Modify a DNS resource record.
ipa dnsrecord-show   Display DNS resource.

PROPOSED API IMPROVEMENT:
Proposed API for all supported structured DNS follows:

ipa dnsrecord-afsdb-add --subtype=INT --hostname=STR
ipa dnsrecord-cert-add --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR
ipa dnsrecord-ds-add --tag=INT --algorithm=ENUM --type=ENUM --digest=STR
ipa dnsrecord-key-add --flags=LIST --protocol=INT --algorithm=ENUM --digest=STR
ipa dnsrecord-kx-add --preference=INT --exchanger=STR
ipa dnsrecord-loc-add --lat-deg=INT --lat-min=INT --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT --v-precision=FLOAT
ipa dnsrecord-mx-add --priority=INT --mailserver=STR
ipa dnsrecord-nsec-add --next=STR --types=LIST
ipa dnsrecord-naptr-add --order=INT --preference=INT --flag=ENUM --service=STR --regexp=STR --replacement=STR
ipa dnsrecord-sig-add --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR
ipa dnsrecord-srv-add --priority=INT --weight=INT --port=INT --target=STR
ipa dnsrecord-sshfp-add --algorithm=ENUM --type=ENUM --fingerprint=STR
ipa dnsrecord-rrsig-add  --type=ENUM --algorithm=ENUM --labels=INT --original-ttl=INT --sig-expiration=INT --sig-inception=INT --tag=INT --signer=STR --signature=STR

To support also modification of current records (i.e. replacement) we can add a "mod" equivalent, e.g.:
ipa dnsrecord-afsdb-mod --subtype=INT --hostname=STR
ipa dnsrecord-cert-mod --type=ENUM --tag=INT --algorithm=ENUM --certificate=STR
...

I think this is what WebUI guys will want.


EXAMPLE OF OPTIONS:
The available options for particular RR types will be based on RFC research I have already done for my patch 120. Lets see how the API will look.

1) LOC record example noted in the begging:

ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-min=11 --lat-sec=42.4 --lat-dir=N --lon-deg=16 --lon-min=36 --lon-sec=29.6 --lon-dir=E --alt=227.64

Good thing about options is that we can divide then to mandatory and optional and provide defaults. In this case, one can enter imprecise LOC record with:

ipa dnsrecord-loc-add example.com @ --lat-deg=49 --lat-dir=N --lon-deg=16 --lon-dir=E


2) Another example with CERT RR type:

CURRENT API:
ipa dnsrecord-add example.com foo --cert-rec="1 0 5 MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG"

NEW API:
ipa dnsrecord-cert-add example.com foo --type=PKIX --tag=0 --algorithm=RSASHA1 --certificate=MIIDfzCCAuigAwIBAgIKcYxqqAAAAAAAFzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpVTS1BTUFMR0ExMB4XDTEwMDYwMTE3NTM1NVoXDTExMDYwMTE4MDM1NVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEMMAoG"



More information about the Freeipa-devel mailing list