[Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

Simo Sorce ssorce at redhat.com
Fri Apr 12 14:55:17 UTC 2013 


----- Original Message -----
> On 04/12/2013 03:50 PM, Petr Viktorin wrote:
> > On 04/12/2013 02:30 PM, Jan Cholasta wrote:
> >> On 12.4.2013 14:19, Petr Viktorin wrote:
> >>> On 04/12/2013 01:24 PM, Jan Cholasta wrote:
> >>>> Hi,
> >>>>
> >>>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/3547>.
> >>>>
> >>>> Honza
> >>>
> >>> We used short names in the CNAMEs:
> >>>
> >>> $ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
> >>>    Record name: ipa-ca
> >>>    CNAME record: vm-109
> >>> ----------------------------
> >>> Number of entries returned 1
> >>> ----------------------------
> >>>
> >>>
> >>> But it seems the patch assumes a FQDN with a dot at the end. When
> >>> upgrading a 3.1 server I get:
> >>>
> >>> 2013-04-12T12:16:43Z INFO   File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> >>> line 613, in run_script
> >>>      return_value = main_function()
> >>>
> >>>    File "/usr/sbin/ipa-upgradeconfig", line 853, in main
> >>>      add_ca_dns_records()
> >>>
> >>>    File "/usr/sbin/ipa-upgradeconfig", line 752, in add_ca_dns_records
> >>>      bind.convert_ipa_ca_cnames(api.env.domain)
> >>>
> >>>    File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
> >>> line 785, in convert_ipa_ca_cnames
> >>>      self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)
> >>>
> >>>    File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
> >>> line 772, in add_ipa_ca_dns_records
> >>>      host, zone = fqdn.split(".", 1)
> >>>
> >>> Unexpected error
> >>> ValueError: need more than 1 value to unpack
> >>>
> >>
> >> Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.
> >>
> >> Updated patch attached.
> > 
> > A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that
> > is
> > the usual way to do load-balancing, which is the recommended setup for big
> > installations.
> > 
> 
> Given that CNAME can only point to one host, I do not know how can it be used
> to load balance.
> 
> The idea with ipa-ca was to contain a number of A records, which would create
> a
> load balancer to some extent as client software checking the OCSP/CRL would
> run
> the request against one random A record and thus distribute the load among
> all
> FreeIPA CAs.
> 
> As A cannot coexist with CNAME, we need to delete it. But it is true that it
> may be good idea to produce upgrade warning about it.

We should not delete it.
If the admin consciously changed the A name to a CNAME we should respect that decision.
The problem is on upgrade I guess.
I think on upgrade from 3.1 we just need to document admins should manually fix the record.
After the upgrade he'll remove the CNAME and instead add an A name pointing to all the CA replicas manually ?

Simo.


-- 
Simo Sorce * Red Hat, Inc. * New York

More information about the Freeipa-devel mailing list