Jump to: navigation, search

V4/External DNS integration with installer

Name: V4/External DNS integration with installer
Ticket: #4424
Incomplete.png Pending review
Last updated: 2016-12-20 by Pspacek

Warning red.svg

This article or section needs clarification.
This design page is work in progress.


FreeIPA should have ability to manage DNS records required for FreeIPA infrastructure even if DNS is managed by some non-FreeIPA DNS server. FreeIPA should update its DNS records in external DNS during installation and replica management.

User stories

  • As an FreeIPA administrator, I want to install FreeIPA replica and get its DNS records automatically populated as needed. My company is using DNS service outside of FreeIPA and is not willing to migrate to FreeIPA DNS.
    • E.g. FreeIPA server installation is done in AD dominated environment where AD admins do not want to delegate DNS domain to FreeIPA admins (i.e. political issues).
    • For now only with FreeIPA installers and replica management tools will be integrated with external DNS.

Future extensions

Warning red.svg

This article or section needs clarification.
It is not clear what (if any) user stories we want to support in the future.

  • As FreeIPA administrator, I want to have ability to use DNS locations for location-awareness even though FreeIPA DNS is not used by my organization.
  • As an lower-level admin, I need to add/delete DNS records when adding/removing hosts and services managed by FreeIPA. I want to use IPA commands and web UI to do this even though DNS is external to FreeIPA.
    • Should it work for users or only for automated DNS changes from IPA installers?
  • As an lower-level admin, I'm enrolling hosts to FreeIPA realm. I want the hosts to register themserves into external DNS.
    • Potential limitation: Should DNS updates from FreeIPA clients and from FreeIPA users be explicitly out of scope of this proposal.

External DNS services to consider

Service Expected difficulty
no locations manual locations[1] automated locations[2]
Microsoft DNS server: standalone, no Active Directory ? ? ?
Microsoft DNS server: integrated with Active Directory without trust ? ? ?
Microsoft DNS server: integrated with Active Directory with two-way trust medium[3] ? ?
Microsoft DNS server integrated: with Active Directory with one-way trust ? ? ?
InfoBlox: standalone ? ? ?
InfoBlox: with keytab from FreeIPA realm easy ? ?
InfoBlox: with keytab from AD realm, no trust to FreeIPA realm ? ? ?
InfoBlox: with keytab from AD realm, two-way trust to FreeIPA realm easy ? ?
InfoBlox: with keytab from AD realm, one-way trust to FreeIPA realm ? ? ?
AWS Route 53 service ? ? ?
Azure internal DNS ? ? ?
Azure external DNS ? ? ?
Google Cloud DNS ? ? ?


Warning red.svg

This article or section needs clarification.
This needs to be reworked when scope is clear. Take it as list of wild ideas.

  • Add new DNS zone type 'external' and transform dns* commands from FreeIPA framework to equivalent "nsupdate" commands and send DNS updates to existing DNS servers.
Warning red.svg

This article or section needs clarification.
Custodia should be re-used for sharing secrets

  • Use DNSSEC key distribution mechanism for TSIG key distribution to FreeIPA servers.
  • Store Kerberos keytabs for GSS-API as normal keytabs in LDAP.
    • use ipa-getkeytab for key distribution to FreeIPA servers
Warning red.svg

This article or section needs clarification.
Will it work with replica management?

  • Store keys on server's disk in location accessible only to root user

Warning red.svg

This article or section needs clarification.
Following sections were left untouched!

The proposed solution. This may include but is not limited to:

For other hints what to consider see general considerations page.


Microsoft DNS without Active Directory

As far as I can tell, Windows DNS 2016 without AD does not support GSS-TSIG, I did not find any way to set plain TSIG, and it does not allow any way of ACL specification on the zone.

This means that any client can update everything. For this case sending unsigned DNS update is an easy thing to do. It is up to the reader to decide if it is wise to run infrastructure this way or not, but it is not FreeIPA's bussiness.

Microsoft Active Directory

Windows DNS server integrated with AD supports GSS-TSIG. In case of two-way trust, this allows us to use existing IPA keytab and set ACL on Windows side to allow updates from clients. If we decide to go with DNS proxy route, [DnsUpdateProxy Group] could get handy.

Any implementation details you would like to spell out. Describe any technical details here. Make sure you cover

  • Dependencies: any new dependencies that FreeIPA project or it's part would gain and that needs to be packaged in distros?
  • Backup and Restore: any new file to back up or change required in Backup and Restore?

If this section is not trivial, move it to /Implementation sub page and only include link.

Feature Management


How the feature will be managed via the Web UI.


Overview of the CLI commands. Example:

Command Options
config-mod --user-auth-type=password/otp/radius
user-mod --user-auth-type=password/otp/radius --radius=STR --radius-username=STR


Any configuration options? Any commands to enable/disable the feature or turn on/off its parts?


Any impact on upgrades? Remove this section if not applicable.

How to Test

Easy to follow instructions how to test the new feature. FreeIPA user needs to be able to follow the steps and demonstrate the new features.

The chapter may be divided in sub-sections per Use Case.

Test Plan

Test scenarios that will be transformed to test cases for FreeIPA Continuous Integration during implementation or review phase. This can be also link to source in cgit with the test, if appropriate.


Petr Špaček

  1. Support for DNS locations require manual configuration of particular DNS views and keys on each DNS server.
  2. Support for DNS locations require only small configuration to enable access to external DNS API. DNS views and keys can be configured automatically by IPA.
  3. Keep in mind that DNS is required for establishing of the trust so Trust credentials cannot be used before establishing the trust ...