The UI has a nice start at helping folks who might not understand how to set up reverse map domains. But it gives a false sense of security when the CIDR boundaries are not multiples of 8 bits. To wit: I use /22s quite a bit, setting up reverse maps was tricky. Creating 10.10.0.0/22 did not do the right thing when I also created 10.10.4.0/22 as a forward zone.
/22
10.10.0.0/22
10.10.4.0/22
https://tools.ietf.org/html/rfc2317 is helpful as a best practice. Ideally, the UI would follow such a pattern (there are several) for reverse maps. Until then, a warning is probably in order when there are overlaps. It may be I didn't get a warning because the overlap was between forward and authoritative zones.
The 10.10.0.0/22 is effectively created as 10.10.0.0/16, overriding lookups on zones that were not intended to be overlapping.
10.10.0.0/16
It would be great users could infer that there is no actual magic going on and what they were asking for (bitmasks that are not modulo 8 basically need rfc2317). It would be even better if rfc2317 was managed automatically.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.6.4-10.el7.centos.3.x86_64 ipa-client-4.6.4-10.el7.centos.3.x86_64 389-ds-base-1.3.8.4-23.el7_6.x86_64 pki-ca-10.5.9-13.el7_6.noarch krb5-server-1.15.1-37.el7_6.x86_64
@briantopping could you please provide httpd's error_log for the session where you were creating the zones? This will help to see what requests did Web UI issue.
Login to comment on this ticket.