Bug 49489 - Can't create host record 'master-42-140.42.schule.edu' in zone '42.schule.edu'
Can't create host record 'master-42-140.42.schule.edu' in zone '42.schule.edu'
Status: NEW
Product: UCS
Classification: Unclassified
Component: DNS
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on: 25354
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-16 12:28 CEST by Nico Stöckigt
Modified: 2024-01-29 10:01 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019012121001081
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
dns_label_rfc_1123.patch (1.16 KB, patch)
2019-05-20 15:41 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2019-05-16 12:28:58 CEST
in a newly installed UCS 4.4-0 errata0 (Blumenthal) I get this Traceback in the initial run of the joinscripts while setup.

============================================================

Configure 05univention-bind.inst Thu May 16 11:33:32 CEST 2019
2019-05-16 11:33:32.347658463+02:00 (in joinscript_init)
Failed creating the DNS zone 42.schule.edu.\nCommand failed with 1:\nE: failed nameserver: A host name or FQDN must start and end with a letter or number. In between additionally dashes, dots and underscores are allowed.
Adding ZONE record "root@42.schule.edu. 1 28800 7200 604800 10800 master-42-140.42.schule.edu." to zone 42.schule.edu...
Traceback (most recent call last):
  File "/usr/share/univention-admin-tools/univention-dnsedit", line 460, in <module>
    main()
  File "/usr/share/univention-admin-tools/univention-dnsedit", line 433, in main
    add_zone(*args)
  File "/usr/share/univention-admin-tools/univention-dnsedit", line 391, in add_zone
    zone['nameserver'] = list(nameserver)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 423, in __setitem__
    raise univention.admin.uexceptions.valueInvalidSyntax, "%s: %s" % (key, err)
univention.admin.uexceptions.valueInvalidSyntax: nameserver: A host name or FQDN must start and end with a letter or number. In between additionally dashes, dots and underscores are allowed.
__JOINERR__:FAILED: /usr/lib/univention-install/05univention-bind.inst

============================================================

By this all following scripts, which depends on DNS, will also fail. This is blocking DNS.
Comment 1 Nico Stöckigt univentionstaff 2019-05-16 12:40:08 CEST
in the syslog you also find:

============================================================

Mai 16 11:26:38 unassigned-hostname named[3867]: all zones loaded
Mai 16 11:26:38 unassigned-hostname named[3867]: running
Mai 16 11:30:23 unassigned-hostname systemd[1]: bind9.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.
Mai 16 11:30:27 unassigned-hostname systemd[1]: bind9.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.
Mai 16 11:30:27 unassigned-hostname systemd[1]: bind9.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.

============================================================

Mai 16 11:38:04 master-42-140 named[12943]: loading configuration from '/etc/bind/named.conf.proxy'
Mai 16 11:38:04 master-42-140 named[12943]: /etc/bind/named.conf.proxy:14: expected IP match list element near ';'
Mai 16 11:38:04 master-42-140 named[12943]: loading configuration: unexpected token
Mai 16 11:38:04 master-42-140 named[12943]: exiting (due to fatal error)
Mai 16 11:38:04 master-42-140 systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE

============================================================

===== /etc/bind/named.conf.proxy:14 =====
  1 # Warning: This file is auto-generated and might be overwritten by
  2 #          univention-config-registry.
  3 #          Please edit the following file(s) instead:
  4 # Warnung: Diese Datei wurde automatisch generiert und kann durch
  5 #          univention-config-registry ueberschrieben werden.
  6 #          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
  7 # 
  8 # 	/etc/univention/templates/files/etc/bind/named.conf.proxy
  9 # 
 10
 11
 12 controls{
 13         inet 127.0.0.1
>14         allow { ; };
 15 };	
 16
Comment 2 Arvid Requate univentionstaff 2019-05-16 12:45:20 CEST
DNS https://www.ietf.org/rfc/rfc952.txt says "The first character must be an alpha character."

univention-system-setup contains a check (util.is_domainname) that should complain during setup.
Comment 3 Nico Stöckigt univentionstaff 2019-05-16 13:54:14 CEST
(In reply to Arvid Requate from comment #2)
> univention-system-setup contains a check (util.is_domainname) that should
> complain during setup.

There was no complain from the setup...  :/
Comment 4 Arvid Requate univentionstaff 2019-05-16 15:06:35 CEST
Where has this been observed? Ticket?
Comment 5 Nico Stöckigt univentionstaff 2019-05-16 15:34:59 CEST
(In reply to Arvid Requate from comment #4)
> Where has this been observed? Ticket?

This occurred while reproducing a school environment with multiple slaves. (2019012121001081)
Comment 6 Arvid Requate univentionstaff 2019-05-16 15:46:24 CEST
Ah, RFC 1123 says:
     "One aspect of host name syntax is hereby changed: the
      restriction on the first character is relaxed to allow either a
      letter or a digit.  Host software MUST support this more liberal
      syntax."

And, indeed, the regex pattern of util.is_domainname allows that too.
Sorry for the confusion, changing the component back to DNS.
Comment 7 Arvid Requate univentionstaff 2019-05-20 15:41:44 CEST
Created attachment 10036 [details]
dns_label_rfc_1123.patch

Patch proposal.
Comment 8 Arvid Requate univentionstaff 2019-05-20 15:48:18 CEST
Bug #25354 introduced this behavior. The quote from RFC 1123 in Comment 6 suggests that that change was too strict.
Comment 9 Philipp Hahn univentionstaff 2024-01-29 10:01:12 CET
(In reply to Arvid Requate from comment #7)
> Created attachment 10036 [details]
> dns_label_rfc_1123.patch
> 
> Patch proposal.

The patch is wrong and MUST NOT be applied.

While [RFC 1123](https://www.rfc-editor.org/rfc/rfc1123#page-13) relaxed the requirement for hostnames and now allows all-numeric-names, it still is a bad idea for *host*names: There are too many implementations which automatically interpret a *numeric-host-name* as an IPv4 address and skip DNS resolution. Only by *always* giving a FQDN (where at least the TLS is not numeric) would then force DNS resolution.

Strictly speaking all-numeric-domains ("42" from you example) are okay, but you also get into trouble when you only give a *partial host-name* like "123.42" instead of including the TLD like in "123.42.tld".

The syntax for host-names in UDM is already a super-set of RFC-953 as it allows "underscored" ("_"), which only Windows allows. As it was not allowed in the original RFC, it was chosen for SRV records, which now may clash with Windows named. :-(

Also pleas keep in mind that "DNS names" is a super-set of "host names", e.g. DNS can store arbitrary binary data under arbitrary names by using quoting. The only restriction from DNS is, that each label must be <=63 octets and the full name must be <=255 octets.

To support RFC 1123 the syntax should be changed to allow all-numeric host-names.