Hi there,
I hope I've filed this right. This was done in response to a request by: pspacek_
10:11 < pspacek_> purpleidea: BTW, it would be great if you can send your RFE via usual support channel. It would allow us to prioritize things accordingly.
Okay:
FreeIPA can manage DNS, which is a great feature because most sane sysadmins don't like managing DNS. Sadly however, only fairly straight forward BIND configurations are supported. If more diverse options were available, more devops teams might be able to use this instead of their existing configs.
The particular use case that I am considering, is that of multiview DNS. In my particular scenario, a given hostname (foo.example.com) will return a different IP address based on the network that it's in. Usually this is done with acl matching. In particular this matters for the IPA host, and certain servers, so that 'ipa.example.com' returns the IP that corresponds to the network that foo.example.com asks from. Usually, each of these networks is a different rfc1912 zone, but there are other use cases too.
I believe the end result, is that instead of each host having a single IP address assigned to it, it will have a dictionary of key=>value ... zones=>ipaddresses instead. Maybe the structure needs to be more complicated, but I doubt it needs more than that plus a few extra flags.
Here is a snippet from one puppet module to demonstrate usage:
<code> // view: <%= name %> acl "acl-<%= name %>" { <% match.each do |i| -%> <%= i %>; <% end -%> }; view "<%= name %>" { // built-in acls include: none; localhost; localnets; any; // match-clients (source IP) vs. match-destinations (destination IP) match-clients { acl-<%= name %>; }; //match-destinations { acl-<%= name %>; }; recursion <%= recursion_bool %>; include "/etc/named.root.hints"; <% if match == ['localhost'] -%> include "/etc/named.rfc1912.zones"; // only needed for localhost <% end -%> <% if zones != [] -%> // get each zone from a separate file <% zones.sort.each do |zone| -%> include "/etc/named/<%= zone %>.zone.conf"; <% end -%> <% end -%> }; </code>
At the outset this might look like a difficult, non trivial enhancement, however with a lean design, I think it would be quite easy for an experienced DNS wrangler, to integrate this into FreeIPA. I would recommend initially only targeting command line usage.
I would be happy to consult on this, and provide accompanying code for my upcoming puppet-ipa module.
I'd like to add that I enjoyed the list of milestones! As such, I'd probably be willing to offer beer to hackers for this feature to come out sane.
Cheers, James
This ticket is duplicate of #2802.
Metadata Update from @purpleidea: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.