[Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

Fri Apr 12 14:09:16 UTC 2013

On 04/12/2013 03:58 PM, Martin Kosek wrote:
> On 04/12/2013 03:50 PM, Petr Viktorin wrote:
>> On 04/12/2013 02:30 PM, Jan Cholasta wrote:
>>> On 12.4.2013 14:19, Petr Viktorin wrote:
>>>> On 04/12/2013 01:24 PM, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/3547>.
>>>>>
>>>>> Honza
>>>>
>>>> We used short names in the CNAMEs:
>>>>
>>>> $ ipa dnsrecord-find  idm.lab.eng.brq.redhat.com ipa-ca
>>>>     Record name: ipa-ca
>>>>     CNAME record: vm-109
>>>> ----------------------------
>>>> Number of entries returned 1
>>>> ----------------------------
>>>>
>>>>
>>>> But it seems the patch assumes a FQDN with a dot at the end. When
>>>> upgrading a 3.1 server I get:
>>>>
>>>> 2013-04-12T12:16:43Z INFO   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>> line 613, in run_script
>>>>       return_value = main_function()
>>>>
>>>>     File "/usr/sbin/ipa-upgradeconfig", line 853, in main
>>>>       add_ca_dns_records()
>>>>
>>>>     File "/usr/sbin/ipa-upgradeconfig", line 752, in add_ca_dns_records
>>>>       bind.convert_ipa_ca_cnames(api.env.domain)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>>>> line 785, in convert_ipa_ca_cnames
>>>>       self.add_ipa_ca_dns_records(cname[:-1], domain_name, None)
>>>>
>>>>     File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>>>> line 772, in add_ipa_ca_dns_records
>>>>       host, zone = fqdn.split(".", 1)
>>>>
>>>> Unexpected error
>>>> ValueError: need more than 1 value to unpack
>>>>
>>>
>>> Hmm, in my test setup the CNAMEs contained FQDNs. Fixed.
>>>
>>> Updated patch attached.
>>
>> A question: do we support users that *want* a CNAME in ipa-ca? AFAIK that is
>> the usual way to do load-balancing, which is the recommended setup for big
>> installations.
>>
>
> Given that CNAME can only point to one host, I do not know how can it be used
> to load balance.

The host behind the CNAME can still have multiple A records, and/or the 
record(s) can point to "real" load balancers that distribute traffic to 
several servers, taking into account how busy each one is and excluding 
ones that are down.

 From the discussions I'm under the impression that this is the proper 
"big enterprise" solution, which we don't do only because we don't want 
to integrate a load balancer into IPA. That's why I'm asking if/how we 
want to support it.

> The idea with ipa-ca was to contain a number of A records, which would create a
> load balancer to some extent as client software checking the OCSP/CRL would run
> the request against one random A record and thus distribute the load among all
> FreeIPA CAs.
>
> As A cannot coexist with CNAME, we need to delete it. But it is true that it
> may be good idea to produce upgrade warning about it.
>
> Martin
>

-- 
Petr³