Bug 25354 - Fehlende Syntaxprüfung bei PTR, CNAME
Fehlende Syntaxprüfung bei PTR, CNAME
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - DNS
UCS 3.0
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Philipp Hahn
Florian Best
:
: 35041 38734 (view as bug list)
Depends on:
Blocks: 44618 49489 43304
  Show dependency treegraph
 
Reported: 2011-12-09 10:00 CET by Philipp Hahn
Modified: 2019-05-20 15:48 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.206
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2011-12-09 10:00:51 CET
Beim Anlegen eines Pointer-Records in einer Reverse-DNS-Zone wird nach einer "Adresse" gefragt. Dort darf man aber nicht die vollständige IP(v4)-Adresse angeben, sondern muß die relative-Adresse in Reverse-Order angeben, für die IPv4-Adresse 10.20.30.40 in der Zone 20.10.in.addr-arpa. also 40.30.
Comment 1 Philipp Hahn univentionstaff 2012-12-05 11:14:42 CET
Ähnliches auch bei CNAMEs: Dort kann man auch ungültige Host-Namen angeben (bei mir war es apt..knut.univention.de.). Aufgefallen ist das nur bei einem Zone-Transfer, wo besagter falscher RR dann fehlte.
Comment 2 Philipp Hahn univentionstaff 2015-11-10 16:47:20 CET
For IPv6 entering the reverse IPv6 address in nibble format is very error prone
Comment 3 Philipp Hahn univentionstaff 2016-10-17 13:34:31 CEST
As this bug requires a API change → UCS-4.2
Comment 4 Philipp Hahn univentionstaff 2016-11-21 06:18:23 CET
This is much worse:

# udm dns/ptr_record list --superordinate zoneName=1.1.in-addr.arpa,cn=dns,dc=phahn,dc=qa
 DN: relativeDomainName=3.4,zoneName=1.1.in-addr.arpa,cn=dns,dc=phahn,dc=qa
   ptr_record: omar.knut.univention.de.
   address: 3.4
# dig +short @localhost -p 7777 -x 1.1.4.3
 omar.knut.univention.de.

# udm dns/ptr_record list --superordinate zoneName=4.3.0.0.0.2.0.0.0.1.0.0.0.ip6.arpa,cn=dns,dc=phahn,dc=qa
 DN: relativeDomainName=8.0.0.0.7.0.0.0.6.0.0.0.5.0.0.0.0.0.0,zoneName=4.3.0.0.0.2.0.0.0.1.0.0.0.ip6.arpa,cn=dns,dc=phahn,dc=qa
   ptr_record: master41.phahn.qa.
   address: 8.0.0.0.7.0.0.0.6.0.0.0.5.0.0.0.0.0.0
# dig +short @localhost -p 7777 -x 1:2:3:4000:5:6:7:8
 master41.phahn.qa.


DN1 () { sed -ne 's/^DN: //p;T;q'; }
LB=$(ucr get ldap/base) R=$RANDOM
udm dns/forward_zone create --set zone=dns$R --set nameserver=$(hostname -f) --set mx='10 ...'
udm dns/alias create --superordinate zoneName=dns$R,$LB --set name=test1 --set cname=a.b
udm dns/alias create --superordinate zoneName=dns$R,$LB --set name=test2 --set cname=a..b.
udm dns/alias create --superordinate zoneName=dns$R,$LB --set name=test3 --set cname=a.b.
dig +noall +question +answer @localhost -p 7777 test1.dns$R. cname
 ;test1.dns17224.                        IN      CNAME
 test1.dns17224.         10800   IN      CNAME   a.b.dns17224.
dig +noall +question +answer @localhost -p 7777 test2.dns$R. cname
 ;test2.dns17224.                        IN      CNAME
dig +noall +question +answer @localhost -p 7777 test3.dns$R. cname
 ;test3.dns17224.                        IN      CNAME
 test3.dns17224.         10800   IN      CNAME   a.b.
dig +noall +question +answer @localhost -p 7777 dns$R. mx
 ;dns17224.                      IN      MX
dig +noall @localhost -p 7777 dns$R axfr
 ; Transfer failed.
tail /vag/log/daemon.log
 named[4656]: dns_rdata_fromtext: buffer-0x7f5942385730:1: near 'a..b.': empty label
 named[4656]: LDAP sdb zone 'dns17224': dns_sdb_put... failed for a..b.

r74606 | Bug #26354 udm: Implement dns.ptr search
r74605 | Bug #26354 udm: Validate dns.ptr
r74604 | Bug #25354 udm: Validate DNS domain name syntax
Comment 5 Florian Best univentionstaff 2016-11-21 13:11:02 CET
r74604
+msgstr "Der vollständige Domänenname muß zwischen 1 udn 255 zeichen lang sein!"
s/udn/und/
s/muß/muss/
s/zeichen/Zeichen/
Comment 6 Philipp Hahn univentionstaff 2016-11-21 15:03:02 CET
r74643 | Bug #25354 udm: Validate DNS domain name syntax

Package: univention-directory-manager-modules
Version: 11.0.3-47.1441.201611211501
Branch: ucs_4.1-0
Scope: errata4.1-4

r74644 | Bug #25354 udm: Validate DNS domain name syntax YAML
Comment 7 Stefan Gohmann univentionstaff 2016-11-23 05:38:50 CET
Some of our Jenkins setups fail now. See here for example:

http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-4/job/ADMemberMultiEnv/13/Mode=module,Version=w2k12r2-france/testReport/

Configure /usr/lib/univention-install/15univention-heimdal-kdc.inst
2016-11-22 16:52:11.352159816-05:00 (in joinscript_init)
E: failed Name: Value may not contain other than numbers, letters and dots!
Adding TXT record "_kerberos AUTOTEST225.LOCAL" to zone autotest225.local...
Traceback (most recent call last):
  File "/usr/share/univention-directory-manager-tools/univention-dnsedit", line 400, in <module>
    main()
  File "/usr/share/univention-directory-manager-tools/univention-dnsedit", line 367, in main
    add_txt_record(*args)
  File "/usr/share/univention-directory-manager-tools/univention-dnsedit", line 234, in add_txt_record
    record['name'] = name
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 260, in __setitem__
    raise univention.admin.uexceptions.valueInvalidSyntax, "%s: %s" % (self.descriptions[key].short_description, err)
univention.admin.uexceptions.valueInvalidSyntax: Name: Value may not contain other than numbers, letters and dots!

Is it related to these changes?
Comment 8 Stefan Gohmann univentionstaff 2016-11-23 07:47:36 CET
There are more test results which might be caused by these changes:

http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-4/job/AutotestJoin/SambaVersion=s4,Systemrolle=master/lastCompletedBuild/testReport/00_checks/10_s4_connector_rejects/test/
----------------------------------------------------------------------------
[2016-11-22 18:12:13.492092] UCS rejected
[2016-11-22 18:12:13.492153] 
[2016-11-22 18:12:13.492263] 
[2016-11-22 18:12:13.492277] S4 rejected
[2016-11-22 18:12:13.492314] 
[2016-11-22 18:12:13.492481]     1:    S4 DN: DC=gc,DC=_msdcs.autotest091.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=autotest091,DC=local
[2016-11-22 18:12:13.492639]          UCS DN: <not found>
[2016-11-22 18:12:13.492723]     2:    S4 DN: DC=05ddc0b4-de3c-4b3d-87b4-7b0e5a96ade4,DC=_msdcs.autotest091.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=autotest091,DC=local
[2016-11-22 18:12:13.492835]          UCS DN: <not found>
[2016-11-22 18:12:13.492920] 
[2016-11-22 18:12:13.492956] 	last synced USN: 3817
[2016-11-22 18:12:17.038297] S4CONNECTOR WARNING: Found 2 reject(s)! Please check output of univention-s4connector-list-rejected.
----------------------------------------------------------------------------
Comment 9 Florian Best univentionstaff 2016-11-23 10:23:53 CET
See also Bug #35254 with the same symptoms (Bug #35438). If I remember correctly, the joinscripts of S4 are creating "invalid" entries.
Comment 10 Stefan Gohmann univentionstaff 2016-11-26 17:17:31 CET
(In reply to Stefan Gohmann from comment #8)
> There are more test results which might be caused by these changes:

It looks like that it breaks all of our Jenkins tests or at least a lot of test environments. Since we will release an UCS@school release next week, please revert your changes.
Comment 11 Philipp Hahn univentionstaff 2016-11-28 09:54:05 CET
*** Bug 35041 has been marked as a duplicate of this bug. ***
Comment 12 Philipp Hahn univentionstaff 2016-11-28 10:05:21 CET
r74749 | Bug #25354 udm: Validate DNS domain name syntax UCS-4.1-4
r74751 | Bug #25354 udm: Validate DNS domain name syntax UCS-4.2-0
 There's a new syntax class dnsHostname now used for SOA.primary/NS/SRV.location/MX.server, which checks for valid "host names", while dnsName was relaxed to allow any DNS label/name.
 Summary:
 - RFC2181: DNS allows everything:
   - 1<=|label|<=63
   - 1<=|total|<=253 (+ trailing dot + 1 byte for length -> max 255)
   - All-digits are allowed, as long as the TLD is not-all-numeric
 - RFC5321: SMTP restricts hostnames to Letter-Digits-Hyphen

Package: univention-directory-manager-modules
Version: 11.0.3-48.1442.201611271952
Branch: ucs_4.1-0
Scope: errata4.1-4

r74754 | Bug #25354 udm: Validate DNS domain name syntax YAML
 univention-directory-manager-modules.yaml
Comment 13 Philipp Hahn univentionstaff 2016-11-30 11:32:16 CET
r74820 | Bug #25354 test.dns: Add RFC1123 tests
r74819 | Bug #25354 udm: Allow RFC1123 DNS names

Package: univention-directory-manager-modules
Version: 11.0.3-49.1443.201611301119
Branch: ucs_4.1-0
Scope: errata4.1-4

Package: ucs-test
Version: 6.0.37-14.1560.201611301121
Branch: ucs_4.1-0
Scope: errata4.1-4

r74822 | Bug #25354 test.dns: Add RFC1123 tests
r74821 | Bug #25354 udm: Allow RFC1123 DNS names

r74823 | Bug #25354 udm: Allow RFC1123 DNS names YAML
 univention-directory-manager-modules.yaml
Comment 14 Florian Best univentionstaff 2016-12-21 15:48:42 CET
OK: dns/forward zone|reverse zone nameserver
OK: computers/* dnsEntryZoneAlias (stripping trailing dot)
~OK: Wrong: container/dc dnsForwardZone uses dnsName while the values are DN's but it's not create-able and editable at all.
OK: dns/txt_record
OK: dns/srv_record (removal of location.server not possible)
OK: dns/host_record (name, MX)
OK: dns/ptr_record (the tooltip says that trailing dot is required, while it isn't enforced)
OK: dns/alias (name, CNAME)
OK: mail/domain

I get the following error if I want to add a DNS forward zone named "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.":
The LDAP object could not be saved: LDAP Error Other (e.g., implementation specific) error

Prior to this it was:
Zone name: Invalid DNS zone name! (Must not end with a ".", only "0"-"9", "A"-"Z", "a"-"z", and "-" allowed)

→ OK: No real regression
OK: YAML
OK: UCS 4.2 merge
Comment 15 Florian Best univentionstaff 2016-12-22 18:30:35 CET
I oversaw two commits in my QA which were done with the wrong bug number.

univention-directory-manager-modules (12.0.7-1):
r74606 | Bug #26354 udm: Implement dns.ptr search
r74605 | Bug #26354 udm: Validate dns.ptr
Comment 16 Florian Best univentionstaff 2016-12-23 15:27:29 CET
This works very nice, especially that the whole IP is now shown in UMC!
There are two commits only in UCS 4.2 and we are releasing this as 4.1-1 errata. IMO okay, the bug is mentioned in both YAML and changelog correctly.

I added a missing translation:
univention-directory-manager-modules (12.0.9-1):
r75540 | Bug #25354: add missing translation
Comment 17 Janek Walkenhorst univentionstaff 2017-01-05 11:22:33 CET
<http://errata.software-univention.de/ucs/4.1/367.html>
Comment 18 Philipp Hahn univentionstaff 2018-02-16 09:43:54 CET
*** Bug 38734 has been marked as a duplicate of this bug. ***