# DNS Integration Feature

## Overview
The certificate manager now automatically checks if hostnames in certificates are resolvable in DNS and can create missing DNS records on the UCS DNS server.

## How It Works

### 1. Certificate Analysis
After signing a certificate, the tool extracts all DNS names from:
- Common Name (CN) in the certificate Subject
- Subject Alternative Names (SANs)

### 2. DNS Resolution Check
For each hostname found, the tool checks if it resolves using standard DNS lookup.

### 3. Missing Record Detection
If a hostname doesn't resolve, it's flagged as missing.

### 4. Automatic DNS Record Creation
The tool offers to create missing DNS records on the UCS DNS server using:
```bash
univention-directory-manager dns/host_record create
```

## Example Output

```
============================================================
Step 4: Checking DNS Records
============================================================

Checking 4 hostname(s) from certificate...
  ✓ vscode.egonetix.lan - resolves
  ✓ vscode - resolves
  ✓ srvdocker02.egonetix.lan - resolves
  ✗ newhost.egonetix.lan - NOT found in DNS

⚠ Found 1 hostname(s) not in DNS:
  - newhost.egonetix.lan

Do you want to create missing DNS records on UCS? [Y/n]: y

Creating DNS records on 10.0.0.21...
  ✓ Created DNS record: newhost.egonetix.lan → 10.0.0.48

✓ Successfully created 1 DNS record(s)

Note: DNS changes may take a few seconds to propagate.
```

## Benefits

✅ **Prevents Configuration Errors** - Ensures all certificate hostnames are resolvable
✅ **Saves Time** - No need to manually create DNS records
✅ **Automatic Workflow** - Integrated into the certificate generation process
✅ **Safe** - Always asks for confirmation before creating records
✅ **Idempotent** - Detects existing records and skips them

## Requirements

- SSH access to UCS DNS server (default: 10.0.0.21)
- Root access or UDM permissions on UCS server
- Target system must have an IP address for the A record

## Configuration

The DNS server is automatically set to the same server as the CA (configured in cert-manager.py):
```python
config['ca_server'] = '10.0.0.21'  # Default UCS server
```

## Limitations

- Only creates A records (IPv4)
- Requires the hostname to be part of an existing DNS zone on UCS
- Short hostnames (without domain) are skipped
- AAAA records (IPv6) not yet supported