Bug 907913

Summary: ipa dnsrecord-add does not allow top level domains with numbers
Product: Red Hat Enterprise Linux 7 Reporter: Ann Marie Rubin <arubin>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: jgalipea, mkosek, spoore, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 13:17:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ann Marie Rubin 2013-02-05 14:19:21 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3385

The following check is too strict:

{{{
ipa dnsrecord-add idm.lab.bos.redhat.com TBADTEST0 --ns-hostname=TBADTEST.TBADTEST0
ipa: ERROR: invalid 'ns_hostname': invalid domain-name: top level domain label must be alphabetic
}}}

Note:
I hit on this when trying to set up AD trust. TBADTEST0 was configured by AD installer when NETBIOS domain inferred from the domain collided with the NETBIOS computer name. So it can happen without admins trying fancy configuration.
Comment 1 Martin Kosek 2013-03-15 11:54:41 UTC 
In the end, we decided to drop this particular check altogether. As Petr Spacek confirmed, zones violating this rule does no harm to bind/bind-dyndb-ldap.

Fixed upstream:

master: https://fedorahosted.org/freeipa/changeset/8de6c3fa90e44ab3a157d5022f532e5604b0bfe2
ipa-3-1: https://fedorahosted.org/freeipa/changeset/a0f853c0895a4e33f6900614f3dc4694327f7714
Comment 4 Scott Poore 2014-01-29 22:11:31 UTC 
Verified.

Version ::

ipa-server-3.3.3-15.el7.x86_64

Results ::

[root@rhel7-4 ~]# ipa dnsrecord-add example.com TBADTEST0 --ns-hostname=TBADTEST.TBADTEST0.
ipa: ERROR: Nameserver 'TBADTEST.TBADTEST0.' does not have a corresponding A/AAAA record

[root@rhel7-4 ~]# cat /etc/resolv.conf
search example.com
nameserver 192.168.122.74

[root@rhel7-4 ~]# hostname
rhel7-4.example.com

[root@rhel7-4 ~]# nslookup rhel7-4.example.com
Server:		192.168.122.74
Address:	192.168.122.74#53

Name:	rhel7-4.example.com
Address: 192.168.122.74

[root@rhel7-4 ~]# ipa dnszone-add TBADTEST0. --name-server=rhel7-4.example.com. --admin-email=ipaqar.redhat.com
  Zone name: tbadtest0.
  Authoritative nameserver: rhel7-4.example.com.
  Administrator e-mail address: ipaqar.redhat.com.
  SOA serial: 1391033230
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant
                      EXAMPLE.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

[root@rhel7-4 ~]# ipa dnsrecord-add TBADTEST0 TBADTEST --a-rec=2.2.2.1
  Record name: TBADTEST
  A record: 2.2.2.1

[root@rhel7-4 ~]# ipa dnsrecord-add example.com TBADTEST0 --ns-hostname=TBADTEST.TBADTEST0.
  Record name: TBADTEST0
  NS record: TBADTEST.TBADTEST0.
Comment 5 Ludek Smid 2014-06-13 13:17:41 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.