#3725 [RFE] Multiview DNS in BIND
Closed: Duplicate None Opened 10 years ago by purpleidea.

Hi there,

I hope I've filed this right. This was done in response to a request by: pspacek_

10:11 < pspacek_> purpleidea: BTW, it would be great if you can send your RFE 
                  via usual support channel. It would allow us to prioritize 
                  things accordingly.

Okay:

FreeIPA can manage DNS, which is a great feature because most sane sysadmins don't like managing DNS. Sadly however, only fairly straight forward BIND configurations are supported. If more diverse options were available, more devops teams might be able to use this instead of their existing configs.

The particular use case that I am considering, is that of multiview DNS. In my particular scenario, a given hostname (foo.example.com) will return a different IP address based on the network that it's in. Usually this is done with acl matching. In particular this matters for the IPA host, and certain servers, so that 'ipa.example.com' returns the IP that corresponds to the network that foo.example.com asks from. Usually, each of these networks is a different rfc1912 zone, but there are other use cases too.

I believe the end result, is that instead of each host having a single IP address assigned to it, it will have a dictionary of key=>value ... zones=>ipaddresses instead. Maybe the structure needs to be more complicated, but I doubt it needs more than that plus a few extra flags.

Here is a snippet from one puppet module to demonstrate usage:

<code>

// view: <%= name %>
acl "acl-<%= name %>" {
<% match.each do |i| -%>
    <%= i %>;
<% end -%>
};

view "<%= name %>" {
    // built-in acls include: none; localhost; localnets; any;
    // match-clients (source IP) vs. match-destinations (destination IP)
    match-clients { acl-<%= name %>; };
    //match-destinations { acl-<%= name %>; };
    recursion <%= recursion_bool %>;
    include "/etc/named.root.hints";
<% if match == ['localhost'] -%>
    include "/etc/named.rfc1912.zones"; // only needed for localhost
<% end -%>
<% if zones != [] -%>
    // get each zone from a separate file
<% zones.sort.each do |zone| -%>
    include "/etc/named/<%= zone %>.zone.conf";
<% end -%>
<% end -%>
};

</code>

At the outset this might look like a difficult, non trivial enhancement, however with a lean design, I think it would be quite easy for an experienced DNS wrangler, to integrate this into FreeIPA. I would recommend initially only targeting command line usage.

I would be happy to consult on this, and provide accompanying code for my upcoming puppet-ipa module.

I'd like to add that I enjoyed the list of milestones! As such, I'd probably be willing to offer beer to hackers for this feature to come out sane.

Cheers,
James


This ticket is duplicate of #2802.

Metadata Update from @purpleidea:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Login to comment on this ticket.

Metadata