#7913 Reverse zones accept CIDR notation but generate on classful boundaries
Opened 3 months ago by briantopping. Modified 3 months ago

Issue

The UI has a nice start at helping folks who might not understand how to set up reverse map domains. But it gives a false sense of security when the CIDR boundaries are not multiples of 8 bits. To wit: I use /22s quite a bit, setting up reverse maps was tricky. Creating 10.10.0.0/22 did not do the right thing when I also created 10.10.4.0/22 as a forward zone.

https://tools.ietf.org/html/rfc2317 is helpful as a best practice. Ideally, the UI would follow such a pattern (there are several) for reverse maps. Until then, a warning is probably in order when there are overlaps. It may be I didn't get a warning because the overlap was between forward and authoritative zones.

Steps to Reproduce

  1. Create a DNS reverse map zone in the UI for 10.10.0.0/22
  2. Create a reverse map forwarding zone for 10.10.4.0/22
  3. Query both zones for an entry, the forward zone is unlikely to work

Actual behavior

The 10.10.0.0/22 is effectively created as 10.10.0.0/16, overriding lookups on zones that were not intended to be overlapping.

Expected behavior

It would be great users could infer that there is no actual magic going on and what they were asking for (bitmasks that are not modulo 8 basically need rfc2317). It would be even better if rfc2317 was managed automatically.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.4-10.el7.centos.3.x86_64
ipa-client-4.6.4-10.el7.centos.3.x86_64
389-ds-base-1.3.8.4-23.el7_6.x86_64
pki-ca-10.5.9-13.el7_6.noarch
krb5-server-1.15.1-37.el7_6.x86_64


@briantopping could you please provide httpd's error_log for the session where you were creating the zones? This will help to see what requests did Web UI issue.

Login to comment on this ticket.

Metadata