A SOA RNAME has the @ replaced by a .. Since the user part of an email address can contain dots, a dot is escaped as \.. The output of dnszone commands strips any backslash escape from the admin email addresses.
@
.
\.
ipa dnszone-mod --admin-email admin.1@ipa.test. ipa.test.
Zone name: ipa.test. Active zone: TRUE Authoritative nameserver: master.ipa.test. Administrator e-mail address: admin.1.ipa.test ...
Administrator e-mail address: admin\.1.ipa.test
freeipa-server-4.7.0-3.fc29.x86_64
The SOA required for the zone is correct:
ipa.test. 86400 IN SOA master.ipa.test. admin\.1.ipa.test. 1540217518 3600 900 1209600 3600
The bug is in the DNSName class:
>>> import ipapython.dnsutil >>> str(ipapython.dnsutil.DNSName(r'admin\.1.example.org')) admin.1.example.org
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.7.2 (was: 0.0 NEEDS_TRIAGE)
To clarify, I don't think it's a bug in dnspython. Either it's a problem in FreeIPA's custom DNSName class or a wrong usage of FreeIPA's DNSName class:
DNSName
>>> import ipapython.dnsutil >>> ipapython.dnsutil.DNSName(r'admin\.1.example.org.') <DNS name admin.1.example.org.> >>> import dns.name >>> dns.name.from_text(r'admin\.1.example.org.') <DNS name admin\.1.example.org.>
@cheimes: the difference in your mentioned is due to reimplementation of str method in dnsutil.DNSName. Original Name uses to_text and DNSName uses to_unicode.
>>> import ipapython.dnsutil >>> ipapython.dnsutil.DNSName(r'admin\.1.example.org.').to_text() 'admin\\.1.example.org.' >>> ipapython.dnsutil.DNSName(r'admin\.1.example.org.').to_unicode() 'admin.1.example.org.' >>> str(ipapython.dnsutil.DNSName(r'admin\.1.example.org.')) 'admin.1.example.org.' >>> import dns.name >>> dns.name.from_text(r'admin\.1.example.org.').to_text() 'admin\\.1.example.org.' >>> dns.name.from_text(r'admin\.1.example.org.').to_unicode() 'admin.1.example.org.' >>> str(dns.name.from_text(r'admin\.1.example.org.')) 'admin\\.1.example.org.'
to_text() makes explicit _escapify of labels and to_unicode() was doing it impilicitly via _idna_decode but after refacrtoring in https://github.com/rthalley/dnspython/commit/b6d6dba31ff06ccb714cc2a11b73933a4124efb7#diff-c613cb5670c65b9a12619bf4dc5d8438R495 labels are not escaped -- I think it is a bug.
ipa dns-show uses str method to display name.
But I discovered that we are hitting [possibly] another bug, at least in another place: In https://github.com/freeipa/freeipa/blob/87474cc1a3a2782088a78f56c9267109f1fd5b8c/ipalib/rpc.py#L1242 we receive response with not escaped SOA name:
... "idnssoarname": [{"__dns_name__": "admin.1.ipa.test."}] ...
Sergey reported the issue upstream in https://github.com/rthalley/dnspython/issues/339. It was fixed in commit https://github.com/rthalley/dnspython/commit/c76aa6ac9969447220c8e807aa1e5640a6c12924
The upstream fix is too large to integrate it into IPA. I filed a downstream bug for the python-dns package in Fedora, https://bugzilla.redhat.com/show_bug.cgi?id=1674610
Metadata Update from @cheimes: - Custom field external_tracker adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1674610
python-dns-1.16.0-1.fc30 has been pushed to the Fedora 30 testing repository.
The problem will be automatically fixed by new versions of python3-dns: python3-dns-1.16.0-7.fc31.noarch python3-dns-1.16.0-7.fc30.noarch
The updates are currently in testing and will land in stable in the next couple of days. There are no additional changes in IPA required.
Login to comment on this ticket.