As admin, I want DNS locations to apply to ipa-ca so that I can control which CA is contacted by a given client for OCSP.
ipa-ca
I find that FreeIPA’s DNS location feature applies only to SRV records, and not the A records associated with ipa-ca.
It would be convenient if location-specific A records were returned for ipa.ca. This is important because firewalls might mean that only the local CA is reachable by a particular client. It turns out that sss_ssh_authorizedkeys copes badly when it can’t perform OCSP against whichever CA it tries (see https://pagure.io/SSSD/sssd/issue/3922), and at the moment it's choosing one at random.
ipa.ca
sss_ssh_authorizedkeys
ipa-server-4.6.4-10.el7.centos.x86_64 ipa-client-4.6.4-10.el7.centos.x86_64 389-ds-base-1.3.8.4-18.el7_6.x86_64 pki-ca-10.5.9-6.el7.noarch krb5-server-1.15.1-34.el7.x86_64
This is not possible. IPA's DNS location feature only works for DNS record types that support priority, e.g. SRV and URI record types. ipa-ca is an A or AAAA record. These record types are an unordered set and do not supported prioritization. Clients can pick any entry, typically in round robin.
A
AAAA
It might be possible to add location specific A records, but these would only contain entries from one location. You then have to override the OCSP responder address manually. It's possible in Apache. I'm not sure if SSSD supports it, too.
SSLOCSPDefaultResponder "http://ipa-ca.dc1._location.ipa.example/ca/ocsp" SSLOCSPOverrideResponder on
Login to comment on this ticket.