Designate

Classless IN-ADDR.ARPA delegation support and zone/recordset regex

Bug #2073036 reported by Mikhail
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Designate
Invalid
Undecided
Unassigned

Bug Description

For now it's not possible to use a "/" in zone/recordset delegation. But it's needed in a case of classless IN-ADDR.ARPA delegation.

Steps to reproduce:
Try to create zone or recordset
 openstack recordset create --record="ns2.example1., ns1.example2." --type=NS <zone_uuid> "0/24"
Recordset:
 openstack recordset create --record="ns2.example1., ns1.example2." --type=NS <zone_uuid> "0/24"

Actual result:

Provided object is not valid. Got a ValueError error with message Host name 0/24.example.com. is not match

Use case comes from the RFC 2317 https://datatracker.ietf.org/doc/html/rfc2317.
Theory:
• DNS clients always look for names like w.x.y.z.in-addr.arpa because clients can’t possibly know how networks are partitioned.
• The main trick is to use CNAME/DNAME records to redirect clients from w.x.y.z.in-addr.arpa to some other name. The target name can be arbitrary DNS name, i.e. the name can belong to different zone and normal delegation rules will apply.
• A common practice is to create auxiliary sub-domains in in-addr.arpa. sub-tree but it is not strictly required.

Example
• We want to delegate zone for classless network: 198.51.100.0/26
 ◦ We want to host records for this (smaller) network on server test1.example..
• Nearest classfull network (with netmask at byte boundary) is: 198.51.100.0/24
 ◦ Records for this network should be hosted on server test2.example..
• Create auxiliary zone 0/26.100.51.198.in-addr.arpa.:
 ◦ openstack zone create --email <email address hidden> --ttl=7200 0/26.100.51.198.in-addr.arpa.
• Add all PTR records to this new zone:
 ◦ openstack recordset create --record="my.machine.example." --type=PTR 0/26.100.51.198.in-addr.arpa.
 ◦ … (add all other records as necessary)
• Create classfull zone 100.51.198.in-addr.arpa.:
 ◦ openstack zone create --email <email address hidden> --ttl=7200 100.51.198.in-addr.arpa.
• Add CNAMEs for all PTR records belonging to the smaller zone:
 ◦ openstack recordset create --record 1.0/26 --type CNAME 1.0/26 1.100.51.198.in-addr.arpa.
 ◦ … (add all other records as necessary)
• Delegate sub-zone 0/26.100.51.198.in-addr.arpa. from test2.example. to test1.example.:
 ◦ openstack recordset create --record="test1.example." --type=NS 100.51.198.in-addr.arpa. "0/26"

Testing
Following command should always return the same results, no matter what DNS server you queried:
$ dig -t PTR 1.100.51.198..in-addr.arpa.

;; QUESTION SECTION:
;1.100.51.198.in-addr.arpa. IN PTR

;; ANSWER SECTION:
1.100.51.198.in-addr.arpa. 86400 IN CNAME 1.0/26.100.51.198.in-addr.arpa.
1.0/26.100.51.198.in-addr.arpa. 86400 IN PTR my.machine.example.

Revision history for this message
Graham Hayes (grahamhayes) wrote :

We do not support the `/` split - when it was written not all DNS servers supported it (and some still may not), so the `-` was chosen.

https://docs.openstack.org/designate/latest/user/manage-ptr-records.html#classless-in-addr-arpa-delegation has details of how to use that syntax.

Revision history for this message
Michael Johnson (johnsom) wrote :

If you read the last paragraph in section 4 of the RFC, it is recommended to not use "/":

   The examples here use "/" because it was felt to be more visible and
   pedantic reviewers felt that the 'these are not hostnames' argument
   needed to be repeated. We advise you not to be so pedantic, and to
   not precisely copy the above examples, e.g. substitute a more
   conservative character, such as hyphen, for "/".

As Graham highlighted, the documentation calls this out at the link he referenced.

Changed in designate:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.