Bug 52408 - warn when trailing dot is missing
warn when trailing dot is missing
Status: NEW
Product: UCS
Classification: Unclassified
Component: UMC - DNS
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-20 17:50 CET by Philipp Hahn
Modified: 2022-10-12 08:32 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2022101021000319
Bug group (optional): bitesize
Max CVSS v3 score:
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2020-11-20 17:50:20 CET
When creating new DNS entries (mainly CNAME) its important the name name ends with a dot or not: in the last case the zone name is appended. This often leads to confusion and wrong entried.

UMC should warn if the dot is missing,

The also could be a "validate" function (in UMC diagnostics) which checks those CNAMEs and wars if the target is not resolvable.

The customer hast lost hours until he noticed his error.

TT 2020-11-19/20
Comment 1 Philipp Hahn univentionstaff 2022-10-11 18:16:31 CEST
Warning: if S4C is installed and running, the "broken" entry with the "missing" dot is synchronized by S4C from LDAP to Samba and back to LDAP; something adds the "missing" dot and afterwards the entry in LDPA/UDM/UMC will have the dot appended automatically.

In environments without S4C this "fix" will not happen.
Comment 3 Philipp Hahn univentionstaff 2022-10-12 08:32:53 CEST
syntax=univention.admin.syntax.dnsHostname is used which should warn if it does not end on a "dot".

Or we can change the syntax to either allo
- a single label "foo", where then the zone name is then appended by BIND.
- a qualified name "foo.bar.tld." which enforced the trailing dot.

While actually "server.section" where $zone is appended is allowed, it will allow more failures than preventing errors. A such I would add something like this to  
management/univention-directory-manager-modules/modules/univention/admin/syntax.py:2956

 »···@classmethod                                                                                                                                                                                                                                                       
 »···def parse(self, text):
 »···»···text = super(dnsHostname, self).parse(text)
 »···»···if self.NUMERIC.match(text):
 »···»···»···raise univention.admin.uexceptions.valueError(_("Full name must not be all numeric!"))
-»···»···labels = (text[:-1] if text.endswith('.') else text).split('.')
+»···»···qualified = text.endswith('.')
+»···»···labels = (text[:-1] if qualified else text).split('.')
 »···»···if not all(self.LABEL.match(label) for label in labels):
 »···»···»···raise univention.admin.uexceptions.valueError(_(
 »···»···»···»···"A hostname or any part of a FQDN, separated by dots, starts and ends with a letter or a digit. "
 »···»···»···»···"In between letters, digits, dashes and underscores are allowed. Only numbers are not allowed."
 »···»···»···))
+»···»···if not qualified and '.' in text.strip('.'):
+»···»···»···raise univention.admin.uexceptions.valueError(_(
+»···»···»···»···"Qualified hostname should end with dot to prevent zone name from getting appended."
+»···»···»···))
 »···»···return text