Hi,

The command ipa dns-update-system-records can be used to add the missing records. If you'd rather add them manually, the command can be run with the --dry-run option and will display the expected records but will not perform any update.

flo

On Thu, Mar 31, 2022 at 2:26 PM Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> What is 'ipa-ca' for and what should it point to?
> Also, should IPA change that record ever?
>
> Reason I ask - from the docs as I understand - it should point to all CA
> servers in the domain, but it not happening.

It is a generic name for the CAs initially for the OCSP and CRL
endpoints. If a fixed hostname was stored there then if/when that server
disappears, no more resolving OCSP.

It is also used for ACME as a generic name that can be used across your
infra.

I suppose its possible that you may have some old enough servers that
predate the ipa-ca name. I have a faint memory that servers marked as
HIDDEN also don't have this entry.

It's fine to manually add the missing record in this case. IIRC there is
no task to seek out all CAs and add them.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure