78 lines
2.3 KiB
Markdown
78 lines
2.3 KiB
Markdown
# DNS Integration Feature
|
|
|
|
## Overview
|
|
The certificate manager now automatically checks if hostnames in certificates are resolvable in DNS and can create missing DNS records on the UCS DNS server.
|
|
|
|
## How It Works
|
|
|
|
### 1. Certificate Analysis
|
|
After signing a certificate, the tool extracts all DNS names from:
|
|
- Common Name (CN) in the certificate Subject
|
|
- Subject Alternative Names (SANs)
|
|
|
|
### 2. DNS Resolution Check
|
|
For each hostname found, the tool checks if it resolves using standard DNS lookup.
|
|
|
|
### 3. Missing Record Detection
|
|
If a hostname doesn't resolve, it's flagged as missing.
|
|
|
|
### 4. Automatic DNS Record Creation
|
|
The tool offers to create missing DNS records on the UCS DNS server using:
|
|
```bash
|
|
univention-directory-manager dns/host_record create
|
|
```
|
|
|
|
## Example Output
|
|
|
|
```
|
|
============================================================
|
|
Step 4: Checking DNS Records
|
|
============================================================
|
|
|
|
Checking 4 hostname(s) from certificate...
|
|
✓ vscode.egonetix.lan - resolves
|
|
✓ vscode - resolves
|
|
✓ srvdocker02.egonetix.lan - resolves
|
|
✗ newhost.egonetix.lan - NOT found in DNS
|
|
|
|
⚠ Found 1 hostname(s) not in DNS:
|
|
- newhost.egonetix.lan
|
|
|
|
Do you want to create missing DNS records on UCS? [Y/n]: y
|
|
|
|
Creating DNS records on 10.0.0.21...
|
|
✓ Created DNS record: newhost.egonetix.lan → 10.0.0.48
|
|
|
|
✓ Successfully created 1 DNS record(s)
|
|
|
|
Note: DNS changes may take a few seconds to propagate.
|
|
```
|
|
|
|
## Benefits
|
|
|
|
✅ **Prevents Configuration Errors** - Ensures all certificate hostnames are resolvable
|
|
✅ **Saves Time** - No need to manually create DNS records
|
|
✅ **Automatic Workflow** - Integrated into the certificate generation process
|
|
✅ **Safe** - Always asks for confirmation before creating records
|
|
✅ **Idempotent** - Detects existing records and skips them
|
|
|
|
## Requirements
|
|
|
|
- SSH access to UCS DNS server (default: 10.0.0.21)
|
|
- Root access or UDM permissions on UCS server
|
|
- Target system must have an IP address for the A record
|
|
|
|
## Configuration
|
|
|
|
The DNS server is automatically set to the same server as the CA (configured in cert-manager.py):
|
|
```python
|
|
config['ca_server'] = '10.0.0.21' # Default UCS server
|
|
```
|
|
|
|
## Limitations
|
|
|
|
- Only creates A records (IPv4)
|
|
- Requires the hostname to be part of an existing DNS zone on UCS
|
|
- Short hostnames (without domain) are skipped
|
|
- AAAA records (IPv6) not yet supported
|