[Freeipa-devel] [PATCH] 0017 Integrate realmdomains with IPA DNS

Ana Krivokapic akrivoka at redhat.com
Fri Apr 12 10:20:02 UTC 2013 

On 04/11/2013 03:03 PM, Alexander Bokovoy wrote:
> On Thu, 11 Apr 2013, Ana Krivokapic wrote:
>> On 04/11/2013 01:43 PM, Alexander Bokovoy wrote:
>>> On Thu, 11 Apr 2013, Petr Spacek wrote:
>>>> On 11.4.2013 13:24, Alexander Bokovoy wrote:
>>>>> On Thu, 11 Apr 2013, Petr Spacek wrote:
>>>>>> On 11.4.2013 13:09, Ana Krivokapic wrote:
>>>>>>> Integrate realmdomains with IPA DNS
>>>>>>>
>>>>>>> Add an entry to realmdomains when a DNS zone is added to IPA.
>>>>>>> Delete the
>>>>>>> related entry from  realmdomains when the DNS zone is deleted from
>>>>>>> IPA.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/3544
>>>>>>
>>>>>> I would add a TXT record as I described in
>>>>>> https://fedorahosted.org/freeipa/ticket/3544#comment:8
>>>>>>
>>>>>> This integration probably should go to both commands, realmdomains-*
>>>>>> dnszone-*.
>>>>>>
>>>>>> Any objections? AB?
>>>>> Adding TXT record is probably harmless.
>>>>>
>>>>> I would actually add the TXT record creation only to 
>>>>> realmdomains-* and
>>>>> trigger it only in case we manage our DNS and DNS zone is there.
>>>>> This way a hook from dnszone-add will trigger adding TXT record back
>>>>> (via call to
>>>>> realmdomains-mod --add and then TXT record addition from there). Also
>>>>> the fact that admin added manually some domain to realmdomains 
>>>>> mapping
>>>>> means that it is implied to be used in obtaining TGTs, so TXT 
>>>>> record is
>>>>> helpful there as well.
>>>>
>>>> Okay, it makes sense. We will see how it will work in reality.
>>>
>>> One more thing to check is that we don't do this for our own domain.
>>>
>>
>> Our own domain is already in realmdomains by default, and it cannot be
>> removed from there. So I don't think any check related to our domain is
>> necessary.
> We shouldn't start creating TXT records for our own domain, that's what
> I'm asking for here.
>
> Think about server install stage -- we start creating our own domain and
> the hook then causes to create realmdomains entry for the domain,
> causing realmdomains-mod code to raise ValidationError which is not
> handled in dnszone-add code with this patch.
>
> Same for TXT record creation starting from realmdomains-mod side -- it
> simply should avoid calling dnsrecord-add for the case we know wouldn't
> work.
>

I just realized that this ticket was not marked as RFE although it 
obviously is one. I fixed the ticket summary and wrote the design page 
for this enhancement:

http://www.freeipa.org/page/V3/DNS_realmdomains_integration

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

More information about the Freeipa-devel mailing list