[Freeipa-devel] [PATCHES] 126-127 Use A/AAAA records instead of CNAME records in ipa-ca

[Petr Viktorin]

On 04/15/2013 12:31 PM, Jan Cholasta wrote:
> On 12.4.2013 16:55, Simo Sorce wrote:
>>
>>
>> ----- Original Message -----
>>> On 04/12/2013 03:50 PM, Petr Viktorin wrote:
>>>> A question: do we support users that *want* a CNAME in ipa-ca? AFAIK
>>>> that
>>>> is
>>>> the usual way to do load-balancing, which is the recommended setup
>>>> for big
>>>> installations.
>>>>
>>>
>>> Given that CNAME can only point to one host, I do not know how can it
>>> be used
>>> to load balance.
>>>
>>> The idea with ipa-ca was to contain a number of A records, which
>>> would create
>>> a
>>> load balancer to some extent as client software checking the OCSP/CRL
>>> would
>>> run
>>> the request against one random A record and thus distribute the load
>>> among
>>> all
>>> FreeIPA CAs.
>>>
>>> As A cannot coexist with CNAME, we need to delete it. But it is true
>>> that it
>>> may be good idea to produce upgrade warning about it.
>>
>> We should not delete it.
>> If the admin consciously changed the A name to a CNAME we should
>> respect that decision.
>> The problem is on upgrade I guess.
>> I think on upgrade from 3.1 we just need to document admins should
>> manually fix the record.
>> After the upgrade he'll remove the CNAME and instead add an A name
>> pointing to all the CA replicas manually ?
>>
>> Simo.
>>
>>
>
> I have changed the patch so that the CNAMEs are replaced with A/AAAA if
> and only if they all point to IPA masters, otherwise a warning is
> printed. Is that OK?

OK with me, patch works well.
ACK unless Simo really wants to always skip the update.

-- 
Petr³