[Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

Jan Cholasta jcholast at redhat.com
Mon Apr 15 10:31:32 UTC 2013 

On 12.4.2013 16:55, Simo Sorce wrote:
>
>
> ----- Original Message -----
>> On 04/12/2013 03:50 PM, Petr Viktorin wrote:
>>> A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that
>>> is
>>> the usual way to do load-balancing, which is the recommended setup for big
>>> installations.
>>>
>>
>> Given that CNAME can only point to one host, I do not know how can it be used
>> to load balance.
>>
>> The idea with ipa-ca was to contain a number of A records, which would create
>> a
>> load balancer to some extent as client software checking the OCSP/CRL would
>> run
>> the request against one random A record and thus distribute the load among
>> all
>> FreeIPA CAs.
>>
>> As A cannot coexist with CNAME, we need to delete it. But it is true that it
>> may be good idea to produce upgrade warning about it.
>
> We should not delete it.
> If the admin consciously changed the A name to a CNAME we should respect that decision.
> The problem is on upgrade I guess.
> I think on upgrade from 3.1 we just need to document admins should manually fix the record.
> After the upgrade he'll remove the CNAME and instead add an A name pointing to all the CA replicas manually ?
>
> Simo.
>
>

I have changed the patch so that the CNAMEs are replaced with A/AAAA if 
and only if they all point to IPA masters, otherwise a warning is 
printed. Is that OK?

Honza

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-126.2-Use-A-AAAA-records-instead-of-CNAME-records-in-ipa-c.patch
Type: text/x-patch
Size: 15682 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130415/00bc0832/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-127.2-Delete-DNS-records-in-ipa-ca-on-ipa-csreplica-manage.patch
Type: text/x-patch
Size: 1913 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130415/00bc0832/attachment-0001.bin>

More information about the Freeipa-devel mailing list