Use A/AAAA records instead of CNAME records in ipa-ca.

https://fedorahosted.org/freeipa/ticket/3547
author: Jan Cholasta <jcholast@redhat.com> 2013-04-15 12:19:11 +0200
committer: Martin Kosek <mkosek@redhat.com> 2013-04-15 21:12:36 +0200
commit: f684c6d6f8f8cde5689a92cf2b06914c3e3da34c (patch)
tree: 807412f94d71a20b279fcdb02835fb0d2f46f654 /install
parent: ddeb1cea5564093799a6352b2c25bda68d971ce3 (diff)
download: freeipa-f684c6d6f8f8cde5689a92cf2b06914c3e3da34c.tar.gz
freeipa-f684c6d6f8f8cde5689a92cf2b06914c3e3da34c.tar.xz
freeipa-f684c6d6f8f8cde5689a92cf2b06914c3e3da34c.zip
4 files changed, 32 insertions, 27 deletions
diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template
index 5ee71d688..6795bb01a 100644
--- a/install/share/bind.zone.db.template
+++ b/install/share/bind.zone.db.template
@@ -26,4 +26,4 @@ _kpasswd._udp		IN SRV 0 100 464	$HOST
 $OPTIONAL_NTP
 
 ; CNAME for IPA CA replicas (used for CRL, OCSP)
-$IPA_CA_CNAME		IN CNAME		$HOST
+$IPA_CA_RECORD
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index f8f7e1d5d..2ebce60c2 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -85,7 +85,7 @@ def install_dns_records(config, options):
     try:
         api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
                                   bind_pw=config.dirman_password)
-        bind.add_ipa_ca_cname(config.host_name, config.domain_name)
+        bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
     finally:
         if api.Backend.ldap2.isconnected():
              api.Backend.ldap2.disconnect()
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 956fb2f14..8ab4dc547 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -718,6 +718,7 @@ def del_master(realm, hostname, options):
                 api.Backend.ldap2.connect(ccache=ccache)
             bind = bindinstance.BindInstance()
             bind.remove_master_dns_records(hostname, realm, realm.lower())
+            bind.remove_ipa_ca_dns_records(hostname, realm.lower())
     except Exception, e:
         print "Failed to cleanup %s DNS entries: %s" % (hostname, e)
         print "You may need to manually remove them from the tree"
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index c690544fa..dbbffe321 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -727,31 +727,35 @@ def migrate_crl_publish_dir(ca):
                      'request pki-ca restart')
     return True
 
-def add_server_cname_records():
-    root_logger.info('[Add missing server CNAME records]')
+def add_ca_dns_records():
+    root_logger.info('[Add missing CA DNS records]')
 
-    if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'):
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError, e:
-            root_logger.error("Cannot connect to LDAP to add DNS records: %s", e)
-        else:
-            ret = api.Command['dns_is_enabled']()
-            if not ret['result']:
-                root_logger.info('DNS is not configured')
-                sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
-                return
-
-            bind = bindinstance.BindInstance()
-            # DNS is enabled, so let bindinstance find out if CA is enabled
-            # and let it add the CNAME in that case
-            bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None)
-            sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True)
-        finally:
-            if api.Backend.ldap2.isconnected():
-                 api.Backend.ldap2.disconnect()
-    else:
-        root_logger.info('IPA CA CNAME already processed')
+    if sysupgrade.get_upgrade_state('dns', 'ipa_ca_records'):
+        root_logger.info('IPA CA DNS records already processed')
+        return
+
+    try:
+        api.Backend.ldap2.connect(autobind=True)
+    except ipalib.errors.PublicError, e:
+        root_logger.error("Cannot connect to LDAP to add DNS records: %s", e)
+        return
+
+    ret = api.Command['dns_is_enabled']()
+    if not ret['result']:
+        root_logger.info('DNS is not configured')
+        sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
+        return
+
+    bind = bindinstance.BindInstance()
+
+    bind.convert_ipa_ca_cnames(api.env.domain)
+
+    # DNS is enabled, so let bindinstance find out if CA is enabled
+    # and let it add the record in that case
+    bind.add_ipa_ca_dns_records(api.env.host, api.env.domain,
+                                ca_configured=None)
+
+    sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
 
 def main():
     """
@@ -845,7 +849,7 @@ def main():
 
     cleanup_kdc(fstore)
     setup_firefox_extension(fstore)
-    add_server_cname_records()
+    add_ca_dns_records()
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
     changed_gssapi_conf = named_update_gssapi_configuration()
author	Jan Cholasta <jcholast@redhat.com>	2013-04-15 12:19:11 +0200
committer	Martin Kosek <mkosek@redhat.com>	2013-04-15 21:12:36 +0200
commit	f684c6d6f8f8cde5689a92cf2b06914c3e3da34c (patch)
tree	807412f94d71a20b279fcdb02835fb0d2f46f654 /install
parent	ddeb1cea5564093799a6352b2c25bda68d971ce3 (diff)
download	freeipa-f684c6d6f8f8cde5689a92cf2b06914c3e3da34c.tar.gz freeipa-f684c6d6f8f8cde5689a92cf2b06914c3e3da34c.tar.xz freeipa-f684c6d6f8f8cde5689a92cf2b06914c3e3da34c.zip