[Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

Martin Kosek mkosek at redhat.com
Fri Apr 12 13:58:28 UTC 2013


On 04/12/2013 03:50 PM, Petr Viktorin wrote:
> On 04/12/2013 02:30 PM, Jan Cholasta wrote:
>> On 12.4.2013 14:19, Petr Viktorin wrote:
>>> On 04/12/2013 01:24 PM, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/3547>.
>>>>
>>>> Honza
>>>
>>> We used short names in the CNAMEs:
>>>
>>> $ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
>>>    Record name: ipa-ca
>>>    CNAME record: vm-109
>>> ----------------------------
>>> Number of entries returned 1
>>> ----------------------------
>>>
>>>
>>> But it seems the patch assumes a FQDN with a dot at the end. When
>>> upgrading a 3.1 server I get:
>>>
>>> 2013-04-12T12:16:43Z INFO   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>> line 613, in run_script
>>>      return_value = main_function()
>>>
>>>    File "/usr/sbin/ipa-upgradeconfig", line 853, in main
>>>      add_ca_dns_records()
>>>
>>>    File "/usr/sbin/ipa-upgradeconfig", line 752, in add_ca_dns_records
>>>      bind.convert_ipa_ca_cnames(api.env.domain)
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>>> line 785, in convert_ipa_ca_cnames
>>>      self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)
>>>
>>>    File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>>> line 772, in add_ipa_ca_dns_records
>>>      host, zone = fqdn.split(".", 1)
>>>
>>> Unexpected error
>>> ValueError: need more than 1 value to unpack
>>>
>>
>> Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.
>>
>> Updated patch attached.
> 
> A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is
> the usual way to do load-balancing, which is the recommended setup for big
> installations.
> 

Given that CNAME can only point to one host, I do not know how can it be used
to load balance.

The idea with ipa-ca was to contain a number of A records, which would create a
load balancer to some extent as client software checking the OCSP/CRL would run
the request against one random A record and thus distribute the load among all
FreeIPA CAs.

As A cannot coexist with CNAME, we need to delete it. But it is true that it
may be good idea to produce upgrade warning about it.

Martin




More information about the Freeipa-devel mailing list