#7936 172.16.0.0/12 reverse IP zone incorrectly fails reverse ip overlap check
Opened 7 months ago by hcoin. Modified 3 months ago

Issue

IP v4 address block 172.16.0.0/12 is a private, non-routable address range. Adding any address within that range should pass the overlap checks. However, attempting to add such causes a complaint about overlap then a command failure.

Steps to Reproduce

  1. Using the gui, surf to dns zones.
  2. Choose 'Reverse zone IP network'.
  3. Attempt to add any subnet within 172.16.0.0/12 (or the whole thing). Do no click 'skip overlap check'.

Actual behavior

Notice the error message. Command failure.

Expected behavior

There should be no conflicts with arin addresses reported when creating reverse ip zones for any RFC1918 subnet.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

freeipa-server-4.7.2-1.1.fc29.x86_64
freeipa-client-4.7.2-1.1.fc29.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.22-1.fc29.x86_64
pki-ca-10.6.9-1.fc29.noarch
krb5-server-1.16.1-25.fc29.x86_64

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting


Either I'm not doing this right or something changed in the interim but I can't reproduce this with master from the command-line.

$ ipa dnszone-add 0.16.172.in-addr.arpa.
Zone name: 0.16.172.in-addr.arpa.
Active zone: TRUE
Authoritative nameserver: ipa.example.test.
Administrator e-mail address: hostmaster
SOA serial: 1568924343
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant EXAMPLE.TEST krb5-subdomain 0.16.172.in-addr.arpa.
PTR;
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;

Did you specify 172.16.0.0/12 like in the following example?

#  ipa dnszone-add --name-from-ip 172.16.0.0/12
Zone name [172.in-addr.arpa.]: 
ipa: ERROR: DNS zone 172.in-addr.arpa. already exists in DNS and is handled by server(s): arin.authdns.ripe.net., z.arin.net., x.arin.net., y.arin.net., u.arin.net., r.arin.net.

Note that if you are using /12 as subnet mask, the command will try to define the reverse zone 172.in-addr.arpa.. If you use instead /16, the command will work and define :the reverse zone 16.172.in-addr.arpa.

#  ipa dnszone-add --name-from-ip 172.16.0.0/16
Zone name [16.172.in-addr.arpa.]: 
  Zone name: 16.172.in-addr.arpa.
  Active zone: TRUE
  Authoritative nameserver: master.ipa.test.
  Administrator e-mail address: hostmaster
  SOA serial: 1568994077
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant IPA.TEST
                      krb5-subdomain 16.172.in-addr.arpa. PTR;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

Please see the doc that explains:

To create the reverse zone by its IP network, set the network information to the (forward-style) IP address, with the subnet mask bit count. The bit count must be a multiple of eight for IPv4 addresses or a multiple of four for IPv6 addresses. 

Login to comment on this ticket.

Metadata