root/zertifizierung
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
99fcd122eaf8fe464559624a1c2b8cc2fadbd9d8
zertifizierung/docs/DNS_INTEGRATION.md

2.3 KiB
Raw Blame History

DNS Integration Feature

Overview

The certificate manager now automatically checks if hostnames in certificates are resolvable in DNS and can create missing DNS records on the UCS DNS server.

How It Works

1. Certificate Analysis

After signing a certificate, the tool extracts all DNS names from:

  • Common Name (CN) in the certificate Subject
  • Subject Alternative Names (SANs)

2. DNS Resolution Check

For each hostname found, the tool checks if it resolves using standard DNS lookup.

3. Missing Record Detection

If a hostname doesn't resolve, it's flagged as missing.

4. Automatic DNS Record Creation

The tool offers to create missing DNS records on the UCS DNS server using:

univention-directory-manager dns/host_record create

Example Output

============================================================
Step 4: Checking DNS Records
============================================================

Checking 4 hostname(s) from certificate...
  ✓ vscode.egonetix.lan - resolves
  ✓ vscode - resolves
  ✓ srvdocker02.egonetix.lan - resolves
  ✗ newhost.egonetix.lan - NOT found in DNS

⚠ Found 1 hostname(s) not in DNS:
  - newhost.egonetix.lan

Do you want to create missing DNS records on UCS? [Y/n]: y

Creating DNS records on 10.0.0.21...
  ✓ Created DNS record: newhost.egonetix.lan → 10.0.0.48

✓ Successfully created 1 DNS record(s)

Note: DNS changes may take a few seconds to propagate.

Benefits

Prevents Configuration Errors - Ensures all certificate hostnames are resolvable Saves Time - No need to manually create DNS records Automatic Workflow - Integrated into the certificate generation process Safe - Always asks for confirmation before creating records Idempotent - Detects existing records and skips them

Requirements

  • SSH access to UCS DNS server (default: 10.0.0.21)
  • Root access or UDM permissions on UCS server
  • Target system must have an IP address for the A record

Configuration

The DNS server is automatically set to the same server as the CA (configured in cert-manager.py):

config['ca_server'] = '10.0.0.21'  # Default UCS server

Limitations

  • Only creates A records (IPv4)
  • Requires the hostname to be part of an existing DNS zone on UCS
  • Short hostnames (without domain) are skipped
  • AAAA records (IPv6) not yet supported
Reference in New Issue View Git Blame Copy Permalink