[Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

Petr Viktorin pviktori at redhat.com
Fri Apr 12 13:50:47 UTC 2013 

On 04/12/2013 02:30 PM, Jan Cholasta wrote:
> On 12.4.2013 14:19, Petr Viktorin wrote:
>> On 04/12/2013 01:24 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/3547>.
>>>
>>> Honza
>>
>> We used short names in the CNAMEs:
>>
>> $ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
>>    Record name: ipa-ca
>>    CNAME record: vm-109
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
>>
>>
>> But it seems the patch assumes a FQDN with a dot at the end. When
>> upgrading a 3.1 server I get:
>>
>> 2013-04-12T12:16:43Z INFO   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 613, in run_script
>>      return_value = main_function()
>>
>>    File "/usr/sbin/ipa-upgradeconfig", line 853, in main
>>      add_ca_dns_records()
>>
>>    File "/usr/sbin/ipa-upgradeconfig", line 752, in add_ca_dns_records
>>      bind.convert_ipa_ca_cnames(api.env.domain)
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 785, in convert_ipa_ca_cnames
>>      self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)
>>
>>    File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 772, in add_ipa_ca_dns_records
>>      host, zone = fqdn.split(".", 1)
>>
>> Unexpected error
>> ValueError: need more than 1 value to unpack
>>
>
> Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.
>
> Updated patch attached.

A question: do we support users that *want* a CNAME in ipa-ca? AFAIK 
that is the usual way to do load-balancing, which is the recommended 
setup for big installations.


With this patch, if there is one, ca-install will fail as it tries to 
add the A record:

$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
   Record name: ipa-ca
   CNAME record: ca.load-balancer.example.com.
$ ipa-ca-install
[...]
ValidationError: invalid 'cnamerecord': Gettext('CNAME record is not 
allowed to coexist with any other record (RFC 1034, section 3.6.2)', 
domain='ipa', localedir=None)

Even if we don't supoport CNAMEs here, I think this we should print a 
big warning in this case rather than fail.



Upgrade state is machine-local, so every time an old master is upgraded, 
any CNAME would get replaced:

$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
   Record name: ipa-ca
   CNAME record: ca.load-balancer.example.com.
----------------------------
Number of entries returned 1
----------------------------
$ sudo ipa-upgradeconfig
...
$ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
   Record name: ipa-ca
   A record: 10.34.47.109
----------------------------
Number of entries returned 1
----------------------------

We should at least highlight this in the release notes, as it deletes 
users' data.


-- 
Petr³

More information about the Freeipa-devel mailing list