Bug #8567
open
Smart Proxy BIND incorrect reverse DNS config for networks smaller than /24
Description
The foreman configures the reverse zone for DNS allow with forward zones under certain circumstances.
This is fine if you have a /24 network. but for other networks, such as 10.8.15.64/27 it add's an incorrect zone entry like the one below:
zone "64.15.8.10.in-addr.arpa" {
type master;
file "/var/cache/bind/zones/db.64.15.8.10.in-addr.arpa";
update-policy {
grant rndc-key zonesub any;
};
};
bind can only handle zone files in /24, /16 or /8 increments. as a result the above entry is invalid, causing updates to it to fail.
Heres what I had to do to work around it temporarily:
cd /var/cache/bind/zones/ sudo mv db.64.15.8.10.in-addr.arpa db.15.8.10.in-addr.arpa sudo sed -i 's=64.15.8.10.in-addr.arpa=15.8.10.in-addr.arpa=' /etc/bind/zones.conf db.15.8.10.in-addr.arpa
Bottomline: any reverse DNS zones in bind need to be rounded up to X.X.X.*, X.X.*.* or X.*.*.*
Perhaps this would be fixed if I set the network address in the subnet definition to be 15.8.10, but that is not the right network address for this range.
Updated by Dominic Cleal over 9 years ago
- Project changed from Foreman to Installer
- Category changed from DNS to Foreman modules
Can you explain how you installed Foreman? I assume you're talking about the installer, but the installer has a --foreman-proxy-dns-reverse argument that you have to set for the reverse DNS zone name, so perhaps check what value you supplied.
Updated by Dominic Cleal over 9 years ago
- Status changed from New to Need more information
Updated by John Brooker over 9 years ago
Good question. what I did was I used the GUI, which in one of the steps instructed me to use the foreman-installer command. I had previously used foreman-installer to setup foreman, using just a single host for both proxy and head BTW.
ok. so the command I got out of that setup included the following flag for foreman-installer:
--foreman-proxy-dns-reverse=64.15.8.10.in-addr.arpa \
This is incorrect for the reasons I described above. here is what it should be:
--foreman-proxy-dns-reverse=15.8.10.in-addr.arpa \
NOTE: the missing "64."
so the logic that generates that flag needs a tweak to ensure it always removes the last octet from the network address provided on the previous page.
BTW you can't work around this issue by shortening the network address to just 3 octets. that will throw an "address family mismatch" error
I would also argue that some amount of sanity checking needs to occur on the smart proxy side to stop these zones from being generated.
Couple of other important notes:- There is an RFC (2317) which allows for the generation of sub-octet sized reverse lookup zones. googling for that finds a litany of issues, so although enabling that support in bind (assuming it exists) would solve this issue, it seems like it would be problematic and thus a poor choice for a default way of operating.
- A full list of DNS RFC's are linked below. I didn't take the time to read through them but I'm sure that since RFC 2317 exists theres and RFC that establishes the problem that RFC 2317 addresses as the norm:
http://www.isc.org/community/rfcs/dns/
Updated by Dominic Cleal over 9 years ago
- Project changed from Installer to foreman_setup
- Category deleted (
Foreman modules) - Status changed from Need more information to New
Thanks for the info, that makes more sense now, part of foreman_setup.
Updated by Antoine Cotten over 9 years ago
I also face a similar issue on Foreman 3.7.1 with the following subnet: 93.104.246.64/26
When I create or edit a host on this subnet, the following messages appear in the proxy logs:
E, [2015-01-19T13:07:02.990181 #29026] ERROR -- : Cannot find DNS entry for 76.246.104.93.in-addr.arpa 192.168.180.40 - - [19/Jan/2015 13:07:02] "DELETE /dns/76.246.104.93.in-addr.arpa HTTP/1.1" 404 52 0.0092
Foreman should actually try to add the following entry when the subnet is not one of /24, /16 or /8:
*76.26-64*.246.104.93.in-addr.arpa
Associated zone:
zone "26-64.246.104.93.in-addr.arpa" {
file "/var/named/dynamic/db.26-64.246.104.93.in-addr.arpa";
...
};
And the corresponding zone file:
$ORIGIN .
$TTL 10800 ; 3 hours
26-64.246.104.93.in-addr.arpa IN SOA ns.example.com. admin.example.com. (
2015000002 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS ns.example.com.
$ORIGIN 26-64.246.104.93.in-addr.arpa.
...
Updated by Diego Michelotto almost 7 years ago
Dear all,
any news about this BUG, we have the same problem with Foreman 1.15.
All the best
Diego