Bug 49489 – Can't create host record 'master-42-140.42.schule.edu' in zone '42.schule.edu'

Bug 49489 - Can't create host record 'master-42-140.42.schule.edu' in zone '42.schule.edu'


Summary:	Can't create host record 'master-42-140.42.schule.edu' in zone '42.schule.edu'

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	DNS
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:	25354
Blocks:
	Show dependency tree / graph

Reported:	2019-05-16 12:28 CEST by Nico Stöckigt
Modified:	2024-01-29 10:01 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019012121001081
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
dns_label_rfc_1123.patch (1.16 KB, patch) 2019-05-20 15:41 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nico Stöckigt

2019-05-16 12:28:58 CEST

in a newly installed UCS 4.4-0 errata0 (Blumenthal) I get this Traceback in the initial run of the joinscripts while setup.

============================================================

Configure 05univention-bind.inst Thu May 16 11:33:32 CEST 2019
2019-05-16 11:33:32.347658463+02:00 (in joinscript_init)
Failed creating the DNS zone 42.schule.edu.\nCommand failed with 1:\nE: failed nameserver: A host name or FQDN must start and end with a letter or number. In between additionally dashes, dots and underscores are allowed.
Adding ZONE record "root@42.schule.edu. 1 28800 7200 604800 10800 master-42-140.42.schule.edu." to zone 42.schule.edu...
Traceback (most recent call last):
  File "/usr/share/univention-admin-tools/univention-dnsedit", line 460, in <module>
    main()
  File "/usr/share/univention-admin-tools/univention-dnsedit", line 433, in main
    add_zone(*args)
  File "/usr/share/univention-admin-tools/univention-dnsedit", line 391, in add_zone
    zone['nameserver'] = list(nameserver)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 423, in __setitem__
    raise univention.admin.uexceptions.valueInvalidSyntax, "%s: %s" % (key, err)
univention.admin.uexceptions.valueInvalidSyntax: nameserver: A host name or FQDN must start and end with a letter or number. In between additionally dashes, dots and underscores are allowed.
__JOINERR__:FAILED: /usr/lib/univention-install/05univention-bind.inst

============================================================

By this all following scripts, which depends on DNS, will also fail. This is blocking DNS.

Comment 1 Nico Stöckigt

2019-05-16 12:40:08 CEST

in the syslog you also find:

============================================================

Mai 16 11:26:38 unassigned-hostname named[3867]: all zones loaded
Mai 16 11:26:38 unassigned-hostname named[3867]: running
Mai 16 11:30:23 unassigned-hostname systemd[1]: bind9.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.
Mai 16 11:30:27 unassigned-hostname systemd[1]: bind9.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.
Mai 16 11:30:27 unassigned-hostname systemd[1]: bind9.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.

============================================================

Mai 16 11:38:04 master-42-140 named[12943]: loading configuration from '/etc/bind/named.conf.proxy'
Mai 16 11:38:04 master-42-140 named[12943]: /etc/bind/named.conf.proxy:14: expected IP match list element near ';'
Mai 16 11:38:04 master-42-140 named[12943]: loading configuration: unexpected token
Mai 16 11:38:04 master-42-140 named[12943]: exiting (due to fatal error)
Mai 16 11:38:04 master-42-140 systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE

============================================================

===== /etc/bind/named.conf.proxy:14 =====
  1 # Warning: This file is auto-generated and might be overwritten by
  2 #          univention-config-registry.
  3 #          Please edit the following file(s) instead:
  4 # Warnung: Diese Datei wurde automatisch generiert und kann durch
  5 #          univention-config-registry ueberschrieben werden.
  6 #          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
  7 # 
  8 # 	/etc/univention/templates/files/etc/bind/named.conf.proxy
  9 # 
 10
 11
 12 controls{
 13         inet 127.0.0.1
>14         allow { ; };
 15 };	
 16

Comment 2 Arvid Requate

2019-05-16 12:45:20 CEST

DNS https://www.ietf.org/rfc/rfc952.txt says "The first character must be an alpha character."

univention-system-setup contains a check (util.is_domainname) that should complain during setup.

Comment 3 Nico Stöckigt

2019-05-16 13:54:14 CEST

(In reply to Arvid Requate from comment #2)
> univention-system-setup contains a check (util.is_domainname) that should
> complain during setup.

There was no complain from the setup...  :/

Comment 4 Arvid Requate

2019-05-16 15:06:35 CEST

Where has this been observed? Ticket?

Comment 5 Nico Stöckigt

2019-05-16 15:34:59 CEST

(In reply to Arvid Requate from comment #4)
> Where has this been observed? Ticket?

This occurred while reproducing a school environment with multiple slaves. (2019012121001081)

Comment 6 Arvid Requate

2019-05-16 15:46:24 CEST

Ah, RFC 1123 says:
     "One aspect of host name syntax is hereby changed: the
      restriction on the first character is relaxed to allow either a
      letter or a digit.  Host software MUST support this more liberal
      syntax."

And, indeed, the regex pattern of util.is_domainname allows that too.
Sorry for the confusion, changing the component back to DNS.

Comment 7 Arvid Requate

2019-05-20 15:41:44 CEST

Created attachment 10036 [details]
dns_label_rfc_1123.patch

Patch proposal.

Comment 8 Arvid Requate

2019-05-20 15:48:18 CEST

Bug #25354 introduced this behavior. The quote from RFC 1123 in Comment 6 suggests that that change was too strict.

Comment 9 Philipp Hahn

2024-01-29 10:01:12 CET

(In reply to Arvid Requate from comment #7)
> Created attachment 10036 [details]
> dns_label_rfc_1123.patch
> 
> Patch proposal.

The patch is wrong and MUST NOT be applied.

While [RFC 1123](https://www.rfc-editor.org/rfc/rfc1123#page-13) relaxed the requirement for hostnames and now allows all-numeric-names, it still is a bad idea for *host*names: There are too many implementations which automatically interpret a *numeric-host-name* as an IPv4 address and skip DNS resolution. Only by *always* giving a FQDN (where at least the TLS is not numeric) would then force DNS resolution.

Strictly speaking all-numeric-domains ("42" from you example) are okay, but you also get into trouble when you only give a *partial host-name* like "123.42" instead of including the TLD like in "123.42.tld".

The syntax for host-names in UDM is already a super-set of RFC-953 as it allows "underscored" ("_"), which only Windows allows. As it was not allowed in the original RFC, it was chosen for SRV records, which now may clash with Windows named. :-(

Also pleas keep in mind that "DNS names" is a super-set of "host names", e.g. DNS can store arbitrary binary data under arbitrary names by using quoting. The only restriction from DNS is, that each label must be <=63 octets and the full name must be <=255 octets.

To support RFC 1123 the syntax should be changed to allow all-numeric host-names.