On 2020-08-01 14:09:53 +0000 (+0000), Jeremy Stanley wrote: [...]
The cleanest solution is probably going to be separating the review.opendev.org service name from the system's FQDN in DNS. This way we could avoid publishing SSHFP RRs for the service name (or better still, publish different SSHFP RRs), but that means we'll need to separate out the ACME glue for DNS based X.509 cert renewals. That would likely not be too hard if we can just stop putting review01.opendev.org as one of the subject altnames. [...]
Clark just reminded me in the #opendev IRC channel that we already serve separate _acme-challenge.review and _acme-challenge.review01 CNAMEs to our acme zone, so nothing actually needs to change with SSL cert renewal verification. We can just replace the review CNAME with A/AAAA, copy the two CAA RRs from review01 to review, and generate the six new SSHFP RRs for the Gerrit API associated with the review hostname. -- Jeremy Stanley