The UI has a nice start at helping folks who might not understand how to set up reverse map domains. But it gives a false sense of security when the CIDR boundaries are not multiples of 8 bits. To wit: I use /22s quite a bit, setting up reverse maps was tricky. Creating 10.10.0.0/22 did not do the right thing when I also created 10.10.4.0/22 as a forward zone.
https://tools.ietf.org/html/rfc2317 is helpful as a best practice. Ideally, the UI would follow such a pattern (there are several) for reverse maps. Until then, a warning is probably in order when there are overlaps. It may be I didn't get a warning because the overlap was between forward and authoritative zones.
The 10.10.0.0/22 is effectively created as 10.10.0.0/16, overriding lookups on zones that were not intended to be overlapping.
It would be great users could infer that there is no actual magic going on and what they were asking for (bitmasks that are not modulo 8 basically need rfc2317). It would be even better if rfc2317 was managed automatically.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
@briantopping could you please provide httpd's error_log for the session where you were creating the zones? This will help to see what requests did Web UI issue.
to comment on this ticket.