Bug 671549

Summary: ipa dnsrecord-add allows you to create ptr records in the @ zone
Product: [Retired] freeIPA Reporter: Michael Gregg <mgregg>
Component: ipa-admintoolsAssignee: Rob Crittenden <rcritten>
Status: CLOSED WONTFIX QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: atkac, benl, dpal, jhrozek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-10 21:09:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michael Gregg 2011-01-21 20:18:10 UTC 
Description of problem:
dnsrecord-add allows you to create ptr records in @ zones. 

Version-Release number of selected component (if applicable):
ipa-server-2.0-0.2011011418gita68b2d2.fc14.x86_64

How reproducible:
always

Steps to Reproduce:
1. Create zone: ipa dnszone-add 4.4.4.in-addr.arpa
2. create a bad record: ipa dnsrecord-add 4.4.4.in-addr.arpa @
--ptr-rec=domain.awesome.times.now.
  
Actual results:
This creates a PTR record in the @ zone.
That's a illegal place for a ptr record to go. It's kind of allowing a A record in the root zone. It makes no sense, and could cause issues with outer resolves.

Expected results:
I expect that there would be some sort of keepout list for the @ zone. 
I also expect that the tools would allow this when a --force option is specified.
Comment 1 Dmitri Pal 2011-01-24 21:37:57 UTC 
https://fedorahosted.org/freeipa/ticket/841
Comment 2 Adam Tkac 2011-02-07 12:14:55 UTC 
In my opinion this is not a bug.

DNS specifies no restrictions which resource records (A/PTR/AAAA etc) can be bound to certain names. It's absolutely valid to have for example A or PTR record in the zone with the same name as the zone's.

----
Example:

Consider zone "example.com." which contains following record:

example.com. IN A 1.1.1.1

then consider zone "1.1.1.in-addr.arpa." which contains following record:

1.1.1.1.in-addr.arpa. IN CNAME example.com.

then zone "example.com." must contain following PTR record:

example.com. IN PTR example.com.
----

Example above (usage of the CNAME record for reverse lookup) is not "exotic" setup, it is widely used for reverse records (more info on http://en.wikipedia.org/wiki/Reverse_DNS_lookup#Classless_reverse_DNS_method).

I would rather not introduce IPA-specific limitations for DNS.