DNS TXT & SRV record lookup capabilities (aka FreeIPA support)

[hairmare]

Hi linux-system-roles community

While volunteering at my local community radio station rabe I found myself writing a smallish wrapper role to to the linux-system-roles/timesync role to automate our deploy on a FreeIPA based domain.

Similar to what ipa-client-install does I found the DNS SRV records to be a handy way to get to the needed information. At the core of my PoC role is the following:

- name: "Find ntp servers in SRV records"
  set_fact: 
    rabe_ntp_servers: "{{ lookup('dig', '_ntp._udp.' + rabe_int_domain + './SRV', 'flat=0') | json_query('[*].target') }}"

- name: "Format dns results for linux-system-roles.timesync"
  set_fact:
    rabe_lsr_timesync_ntp_servers: "{{rabe_lsr_timesync_ntp_servers|default([]) + [ {'hostname': item, 'iburst':true} ] }}"
  with_items: "{{ rabe_ntp_servers }}"

- name: "Configure ntp using galaxy role and variables from dns"
  include_role:
    name: linux-system-roles.timesync
  vars:
    ntp_servers: "{{ rabe_lsr_timesync_ntp_servers }}"

After having implemented that I started thinking of adding full discovery based on ansible_fqdn by doing a lookup on the _kerberos TXT record to form the actual lookup.

Would this be a feature that you would welcome in a pull request? I was thinking that the feature would off by default but easily activated by using an ipa=true var.

I'm not sure if PTP is relevant to this case. I am planning our own PTP rollout but it seems to have it's own discovery protocols that are semi standardized. Any input on howto PTP are gladly appreciated and I'd add what's needed to an eventual IPA support PR.

I'd like to add this feature to your upstream repo. Let me know if you're ok with that and I'll refactor my code intro something PR worthy.

Thanks for coding what seems to be the most complete timesync module in the galaxy 😜
Lucas

[mlichvar]

Would it make sense to support a new variable in the server specification for DNS SRV? Or maybe just specify _ntp._udp.* names as hostnames and let the role translate them to addresses?

Ideally, I think SRV records should be handled by the NTP implementations and the role wouldn't have to know anything about that.

Also, there is some support for SRV records in the Fedora/RHEL/CentOS packages of chrony (in /usr/libexec/chrony-helper), which uses systemd timers to periodically refresh the address. The role could possible use that too.

[hairmare]

There is a bug about mDNSResponder integration (under the hood mDNSResponder works similar to the IPA/AD DNS SRV entries) on bugs.ntp.org.

I'll look into how this works in chrony-helper since a similar solution might make sense for ntpd as well. Thanks for the hint.