#7913 Reverse zones accept CIDR notation but generate on classful boundaries
Opened a month ago by briantopping. Modified a month ago


The UI has a nice start at helping folks who might not understand how to set up reverse map domains. But it gives a false sense of security when the CIDR boundaries are not multiples of 8 bits. To wit: I use /22s quite a bit, setting up reverse maps was tricky. Creating did not do the right thing when I also created as a forward zone.

https://tools.ietf.org/html/rfc2317 is helpful as a best practice. Ideally, the UI would follow such a pattern (there are several) for reverse maps. Until then, a warning is probably in order when there are overlaps. It may be I didn't get a warning because the overlap was between forward and authoritative zones.

Steps to Reproduce

  1. Create a DNS reverse map zone in the UI for
  2. Create a reverse map forwarding zone for
  3. Query both zones for an entry, the forward zone is unlikely to work

Actual behavior

The is effectively created as, overriding lookups on zones that were not intended to be overlapping.

Expected behavior

It would be great users could infer that there is no actual magic going on and what they were asking for (bitmasks that are not modulo 8 basically need rfc2317). It would be even better if rfc2317 was managed automatically.


$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed

@briantopping could you please provide httpd's error_log for the session where you were creating the zones? This will help to see what requests did Web UI issue.

Login to comment on this ticket.