Univention Bugzilla – Bug 25354
Fehlende Syntaxprüfung bei PTR, CNAME
Last modified: 2022-10-12 08:32:53 CEST
Beim Anlegen eines Pointer-Records in einer Reverse-DNS-Zone wird nach einer "Adresse" gefragt. Dort darf man aber nicht die vollständige IP(v4)-Adresse angeben, sondern muß die relative-Adresse in Reverse-Order angeben, für die IPv4-Adresse 10.20.30.40 in der Zone 20.10.in.addr-arpa. also 40.30.
Ähnliches auch bei CNAMEs: Dort kann man auch ungültige Host-Namen angeben (bei mir war es apt..knut.univention.de.). Aufgefallen ist das nur bei einem Zone-Transfer, wo besagter falscher RR dann fehlte.
For IPv6 entering the reverse IPv6 address in nibble format is very error prone
As this bug requires a API change → UCS-4.2
This is much worse: # udm dns/ptr_record list --superordinate zoneName=1.1.in-addr.arpa,cn=dns,dc=phahn,dc=qa DN: relativeDomainName=3.4,zoneName=1.1.in-addr.arpa,cn=dns,dc=phahn,dc=qa ptr_record: omar.knut.univention.de. address: 3.4 # dig +short @localhost -p 7777 -x 1.1.4.3 omar.knut.univention.de. # udm dns/ptr_record list --superordinate zoneName=4.3.0.0.0.2.0.0.0.1.0.0.0.ip6.arpa,cn=dns,dc=phahn,dc=qa DN: relativeDomainName=8.0.0.0.7.0.0.0.6.0.0.0.5.0.0.0.0.0.0,zoneName=4.3.0.0.0.2.0.0.0.1.0.0.0.ip6.arpa,cn=dns,dc=phahn,dc=qa ptr_record: master41.phahn.qa. address: 8.0.0.0.7.0.0.0.6.0.0.0.5.0.0.0.0.0.0 # dig +short @localhost -p 7777 -x 1:2:3:4000:5:6:7:8 master41.phahn.qa. DN1 () { sed -ne 's/^DN: //p;T;q'; } LB=$(ucr get ldap/base) R=$RANDOM udm dns/forward_zone create --set zone=dns$R --set nameserver=$(hostname -f) --set mx='10 ...' udm dns/alias create --superordinate zoneName=dns$R,$LB --set name=test1 --set cname=a.b udm dns/alias create --superordinate zoneName=dns$R,$LB --set name=test2 --set cname=a..b. udm dns/alias create --superordinate zoneName=dns$R,$LB --set name=test3 --set cname=a.b. dig +noall +question +answer @localhost -p 7777 test1.dns$R. cname ;test1.dns17224. IN CNAME test1.dns17224. 10800 IN CNAME a.b.dns17224. dig +noall +question +answer @localhost -p 7777 test2.dns$R. cname ;test2.dns17224. IN CNAME dig +noall +question +answer @localhost -p 7777 test3.dns$R. cname ;test3.dns17224. IN CNAME test3.dns17224. 10800 IN CNAME a.b. dig +noall +question +answer @localhost -p 7777 dns$R. mx ;dns17224. IN MX dig +noall @localhost -p 7777 dns$R axfr ; Transfer failed. tail /vag/log/daemon.log named[4656]: dns_rdata_fromtext: buffer-0x7f5942385730:1: near 'a..b.': empty label named[4656]: LDAP sdb zone 'dns17224': dns_sdb_put... failed for a..b. r74606 | Bug #26354 udm: Implement dns.ptr search r74605 | Bug #26354 udm: Validate dns.ptr r74604 | Bug #25354 udm: Validate DNS domain name syntax
r74604 +msgstr "Der vollständige Domänenname muß zwischen 1 udn 255 zeichen lang sein!" s/udn/und/ s/muß/muss/ s/zeichen/Zeichen/
r74643 | Bug #25354 udm: Validate DNS domain name syntax Package: univention-directory-manager-modules Version: 11.0.3-47.1441.201611211501 Branch: ucs_4.1-0 Scope: errata4.1-4 r74644 | Bug #25354 udm: Validate DNS domain name syntax YAML
Some of our Jenkins setups fail now. See here for example: http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-4/job/ADMemberMultiEnv/13/Mode=module,Version=w2k12r2-france/testReport/ Configure /usr/lib/univention-install/15univention-heimdal-kdc.inst 2016-11-22 16:52:11.352159816-05:00 (in joinscript_init) E: failed Name: Value may not contain other than numbers, letters and dots! Adding TXT record "_kerberos AUTOTEST225.LOCAL" to zone autotest225.local... Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-dnsedit", line 400, in <module> main() File "/usr/share/univention-directory-manager-tools/univention-dnsedit", line 367, in main add_txt_record(*args) File "/usr/share/univention-directory-manager-tools/univention-dnsedit", line 234, in add_txt_record record['name'] = name File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 260, in __setitem__ raise univention.admin.uexceptions.valueInvalidSyntax, "%s: %s" % (self.descriptions[key].short_description, err) univention.admin.uexceptions.valueInvalidSyntax: Name: Value may not contain other than numbers, letters and dots! Is it related to these changes?
There are more test results which might be caused by these changes: http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-4/job/AutotestJoin/SambaVersion=s4,Systemrolle=master/lastCompletedBuild/testReport/00_checks/10_s4_connector_rejects/test/ ---------------------------------------------------------------------------- [2016-11-22 18:12:13.492092] UCS rejected [2016-11-22 18:12:13.492153] [2016-11-22 18:12:13.492263] [2016-11-22 18:12:13.492277] S4 rejected [2016-11-22 18:12:13.492314] [2016-11-22 18:12:13.492481] 1: S4 DN: DC=gc,DC=_msdcs.autotest091.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=autotest091,DC=local [2016-11-22 18:12:13.492639] UCS DN: <not found> [2016-11-22 18:12:13.492723] 2: S4 DN: DC=05ddc0b4-de3c-4b3d-87b4-7b0e5a96ade4,DC=_msdcs.autotest091.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=autotest091,DC=local [2016-11-22 18:12:13.492835] UCS DN: <not found> [2016-11-22 18:12:13.492920] [2016-11-22 18:12:13.492956] last synced USN: 3817 [2016-11-22 18:12:17.038297] S4CONNECTOR WARNING: Found 2 reject(s)! Please check output of univention-s4connector-list-rejected. ----------------------------------------------------------------------------
See also Bug #35254 with the same symptoms (Bug #35438). If I remember correctly, the joinscripts of S4 are creating "invalid" entries.
(In reply to Stefan Gohmann from comment #8) > There are more test results which might be caused by these changes: It looks like that it breaks all of our Jenkins tests or at least a lot of test environments. Since we will release an UCS@school release next week, please revert your changes.
*** Bug 35041 has been marked as a duplicate of this bug. ***
r74749 | Bug #25354 udm: Validate DNS domain name syntax UCS-4.1-4 r74751 | Bug #25354 udm: Validate DNS domain name syntax UCS-4.2-0 There's a new syntax class dnsHostname now used for SOA.primary/NS/SRV.location/MX.server, which checks for valid "host names", while dnsName was relaxed to allow any DNS label/name. Summary: - RFC2181: DNS allows everything: - 1<=|label|<=63 - 1<=|total|<=253 (+ trailing dot + 1 byte for length -> max 255) - All-digits are allowed, as long as the TLD is not-all-numeric - RFC5321: SMTP restricts hostnames to Letter-Digits-Hyphen Package: univention-directory-manager-modules Version: 11.0.3-48.1442.201611271952 Branch: ucs_4.1-0 Scope: errata4.1-4 r74754 | Bug #25354 udm: Validate DNS domain name syntax YAML univention-directory-manager-modules.yaml
r74820 | Bug #25354 test.dns: Add RFC1123 tests r74819 | Bug #25354 udm: Allow RFC1123 DNS names Package: univention-directory-manager-modules Version: 11.0.3-49.1443.201611301119 Branch: ucs_4.1-0 Scope: errata4.1-4 Package: ucs-test Version: 6.0.37-14.1560.201611301121 Branch: ucs_4.1-0 Scope: errata4.1-4 r74822 | Bug #25354 test.dns: Add RFC1123 tests r74821 | Bug #25354 udm: Allow RFC1123 DNS names r74823 | Bug #25354 udm: Allow RFC1123 DNS names YAML univention-directory-manager-modules.yaml
OK: dns/forward zone|reverse zone nameserver OK: computers/* dnsEntryZoneAlias (stripping trailing dot) ~OK: Wrong: container/dc dnsForwardZone uses dnsName while the values are DN's but it's not create-able and editable at all. OK: dns/txt_record OK: dns/srv_record (removal of location.server not possible) OK: dns/host_record (name, MX) OK: dns/ptr_record (the tooltip says that trailing dot is required, while it isn't enforced) OK: dns/alias (name, CNAME) OK: mail/domain I get the following error if I want to add a DNS forward zone named "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.": The LDAP object could not be saved: LDAP Error Other (e.g., implementation specific) error Prior to this it was: Zone name: Invalid DNS zone name! (Must not end with a ".", only "0"-"9", "A"-"Z", "a"-"z", and "-" allowed) → OK: No real regression OK: YAML OK: UCS 4.2 merge
I oversaw two commits in my QA which were done with the wrong bug number. univention-directory-manager-modules (12.0.7-1): r74606 | Bug #26354 udm: Implement dns.ptr search r74605 | Bug #26354 udm: Validate dns.ptr
This works very nice, especially that the whole IP is now shown in UMC! There are two commits only in UCS 4.2 and we are releasing this as 4.1-1 errata. IMO okay, the bug is mentioned in both YAML and changelog correctly. I added a missing translation: univention-directory-manager-modules (12.0.9-1): r75540 | Bug #25354: add missing translation
<http://errata.software-univention.de/ucs/4.1/367.html>
*** Bug 38734 has been marked as a duplicate of this bug. ***