Univention Bugzilla – Bug 49489
Can't create host record 'master-42-140.42.schule.edu' in zone '42.schule.edu'
Last modified: 2024-01-29 10:01:12 CET
in a newly installed UCS 4.4-0 errata0 (Blumenthal) I get this Traceback in the initial run of the joinscripts while setup. ============================================================ Configure 05univention-bind.inst Thu May 16 11:33:32 CEST 2019 2019-05-16 11:33:32.347658463+02:00 (in joinscript_init) Failed creating the DNS zone 42.schule.edu.\nCommand failed with 1:\nE: failed nameserver: A host name or FQDN must start and end with a letter or number. In between additionally dashes, dots and underscores are allowed. Adding ZONE record "root@42.schule.edu. 1 28800 7200 604800 10800 master-42-140.42.schule.edu." to zone 42.schule.edu... Traceback (most recent call last): File "/usr/share/univention-admin-tools/univention-dnsedit", line 460, in <module> main() File "/usr/share/univention-admin-tools/univention-dnsedit", line 433, in main add_zone(*args) File "/usr/share/univention-admin-tools/univention-dnsedit", line 391, in add_zone zone['nameserver'] = list(nameserver) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 423, in __setitem__ raise univention.admin.uexceptions.valueInvalidSyntax, "%s: %s" % (key, err) univention.admin.uexceptions.valueInvalidSyntax: nameserver: A host name or FQDN must start and end with a letter or number. In between additionally dashes, dots and underscores are allowed. __JOINERR__:FAILED: /usr/lib/univention-install/05univention-bind.inst ============================================================ By this all following scripts, which depends on DNS, will also fail. This is blocking DNS.
in the syslog you also find: ============================================================ Mai 16 11:26:38 unassigned-hostname named[3867]: all zones loaded Mai 16 11:26:38 unassigned-hostname named[3867]: running Mai 16 11:30:23 unassigned-hostname systemd[1]: bind9.service: Service lacks both ExecStart= and ExecStop= setting. Refusing. Mai 16 11:30:27 unassigned-hostname systemd[1]: bind9.service: Service lacks both ExecStart= and ExecStop= setting. Refusing. Mai 16 11:30:27 unassigned-hostname systemd[1]: bind9.service: Service lacks both ExecStart= and ExecStop= setting. Refusing. ============================================================ Mai 16 11:38:04 master-42-140 named[12943]: loading configuration from '/etc/bind/named.conf.proxy' Mai 16 11:38:04 master-42-140 named[12943]: /etc/bind/named.conf.proxy:14: expected IP match list element near ';' Mai 16 11:38:04 master-42-140 named[12943]: loading configuration: unexpected token Mai 16 11:38:04 master-42-140 named[12943]: exiting (due to fatal error) Mai 16 11:38:04 master-42-140 systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE ============================================================ ===== /etc/bind/named.conf.proxy:14 ===== 1 # Warning: This file is auto-generated and might be overwritten by 2 # univention-config-registry. 3 # Please edit the following file(s) instead: 4 # Warnung: Diese Datei wurde automatisch generiert und kann durch 5 # univention-config-registry ueberschrieben werden. 6 # Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): 7 # 8 # /etc/univention/templates/files/etc/bind/named.conf.proxy 9 # 10 11 12 controls{ 13 inet 127.0.0.1 >14 allow { ; }; 15 }; 16
DNS https://www.ietf.org/rfc/rfc952.txt says "The first character must be an alpha character." univention-system-setup contains a check (util.is_domainname) that should complain during setup.
(In reply to Arvid Requate from comment #2) > univention-system-setup contains a check (util.is_domainname) that should > complain during setup. There was no complain from the setup... :/
Where has this been observed? Ticket?
(In reply to Arvid Requate from comment #4) > Where has this been observed? Ticket? This occurred while reproducing a school environment with multiple slaves. (2019012121001081)
Ah, RFC 1123 says: "One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software MUST support this more liberal syntax." And, indeed, the regex pattern of util.is_domainname allows that too. Sorry for the confusion, changing the component back to DNS.
Created attachment 10036 [details] dns_label_rfc_1123.patch Patch proposal.
Bug #25354 introduced this behavior. The quote from RFC 1123 in Comment 6 suggests that that change was too strict.
(In reply to Arvid Requate from comment #7) > Created attachment 10036 [details] > dns_label_rfc_1123.patch > > Patch proposal. The patch is wrong and MUST NOT be applied. While [RFC 1123](https://www.rfc-editor.org/rfc/rfc1123#page-13) relaxed the requirement for hostnames and now allows all-numeric-names, it still is a bad idea for *host*names: There are too many implementations which automatically interpret a *numeric-host-name* as an IPv4 address and skip DNS resolution. Only by *always* giving a FQDN (where at least the TLS is not numeric) would then force DNS resolution. Strictly speaking all-numeric-domains ("42" from you example) are okay, but you also get into trouble when you only give a *partial host-name* like "123.42" instead of including the TLD like in "123.42.tld". The syntax for host-names in UDM is already a super-set of RFC-953 as it allows "underscored" ("_"), which only Windows allows. As it was not allowed in the original RFC, it was chosen for SRV records, which now may clash with Windows named. :-( Also pleas keep in mind that "DNS names" is a super-set of "host names", e.g. DNS can store arbitrary binary data under arbitrary names by using quoting. The only restriction from DNS is, that each label must be <=63 octets and the full name must be <=255 octets. To support RFC 1123 the syntax should be changed to allow all-numeric host-names.