#7846 DNS locations for ipa-ca
Opened 4 months ago by mavit. Modified 2 months ago

Request for enhancement

As admin, I want DNS locations to apply to ipa-ca so that I can control which CA is contacted by a given client for OCSP.

Issue

I find that FreeIPA’s DNS location feature applies only to SRV records, and not the A records associated with ipa-ca.

It would be convenient if location-specific A records were returned for ipa.ca. This is important because firewalls might mean that only the local CA is reachable by a particular client. It turns out that sss_ssh_authorizedkeys copes badly when it can’t perform OCSP against whichever CA it tries (see https://pagure.io/SSSD/sssd/issue/3922), and at the moment it's choosing one at random.

Version/Release/Distribution

ipa-server-4.6.4-10.el7.centos.x86_64
ipa-client-4.6.4-10.el7.centos.x86_64
389-ds-base-1.3.8.4-18.el7_6.x86_64
pki-ca-10.5.9-6.el7.noarch
krb5-server-1.15.1-34.el7.x86_64


This is not possible. IPA's DNS location feature only works for DNS record types that support priority, e.g. SRV and URI record types. ipa-ca is an A or AAAA record. These record types are an unordered set and do not supported prioritization. Clients can pick any entry, typically in round robin.

It might be possible to add location specific A records, but these would only contain entries from one location. You then have to override the OCSP responder address manually. It's possible in Apache. I'm not sure if SSSD supports it, too.

SSLOCSPDefaultResponder "http://ipa-ca.dc1._location.ipa.example/ca/ocsp"
SSLOCSPOverrideResponder on

Login to comment on this ticket.

Metadata