[Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

Dmitri Pal dpal at redhat.com
Fri Apr 12 14:15:24 UTC 2013 

On 04/12/2013 10:09 AM, Petr Viktorin wrote:
> On 04/12/2013 03:58 PM, Martin Kosek wrote:
>> On 04/12/2013 03:50 PM, Petr Viktorin wrote:
>>> On 04/12/2013 02:30 PM, Jan Cholasta wrote:
>>>> On 12.4.2013 14:19, Petr Viktorin wrote:
>>>>> On 04/12/2013 01:24 PM, Jan Cholasta wrote:
>>>>>> Hi,
>>>>>>
>>>>>> the attached patches fix
>>>>>> <https://fedorahosted.org/freeipa/ticket/3547>.
>>>>>>
>>>>>> Honza
>>>>>
>>>>> We used short names in the CNAMEs:
>>>>>
>>>>> $ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
>>>>>     Record name: ipa-ca
>>>>>     CNAME record: vm-109
>>>>> ----------------------------
>>>>> Number of entries returned 1
>>>>> ----------------------------
>>>>>
>>>>>
>>>>> But it seems the patch assumes a FQDN with a dot at the end. When
>>>>> upgrading a 3.1 server I get:
>>>>>
>>>>> 2013-04-12T12:16:43Z INFO   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>> line 613, in run_script
>>>>>       return_value = main_function()
>>>>>
>>>>>     File "/usr/sbin/ipa-upgradeconfig", line 853, in main
>>>>>       add_ca_dns_records()
>>>>>
>>>>>     File "/usr/sbin/ipa-upgradeconfig", line 752, in
>>>>> add_ca_dns_records
>>>>>       bind.convert_ipa_ca_cnames(api.env.domain)
>>>>>
>>>>>     File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>>>>> line 785, in convert_ipa_ca_cnames
>>>>>       self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)
>>>>>
>>>>>     File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>>>>> line 772, in add_ipa_ca_dns_records
>>>>>       host, zone = fqdn.split(".", 1)
>>>>>
>>>>> Unexpected error
>>>>> ValueError: need more than 1 value to unpack
>>>>>
>>>>
>>>> Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.
>>>>
>>>> Updated patch attached.
>>>
>>> A question: do we support users that *want* a CNAME in ipa-ca? AFAIK
>>> that is
>>> the usual way to do load-balancing, which is the recommended setup
>>> for big
>>> installations.
>>>
>>
>> Given that CNAME can only point to one host, I do not know how can it
>> be used
>> to load balance.
>
> The host behind the CNAME can still have multiple A records, and/or
> the record(s) can point to "real" load balancers that distribute
> traffic to several servers, taking into account how busy each one is
> and excluding ones that are down.
>
> From the discussions I'm under the impression that this is the proper
> "big enterprise" solution, which we don't do only because we don't
> want to integrate a load balancer into IPA. That's why I'm asking
> if/how we want to support it.


It should work without load balancer with just DNS but if big customer
wants to put a load balancer he should be able to.

>
>> The idea with ipa-ca was to contain a number of A records, which
>> would create a
>> load balancer to some extent as client software checking the OCSP/CRL
>> would run
>> the request against one random A record and thus distribute the load
>> among all
>> FreeIPA CAs.
>>
>> As A cannot coexist with CNAME, we need to delete it. But it is true
>> that it
>> may be good idea to produce upgrade warning about it.
>>
>> Martin
>>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list