[2.0] confusing reverse DNS lookups because MAAS creates multiple PTR records
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | MAAS |
Undecided
|
Unassigned | ||
| | 2.0 |
Undecided
|
Unassigned | ||
| | apache2 (Ubuntu) |
Undecided
|
Unassigned | ||
Bug Description
Hi,
we am running MAAS 2.0.0~beta8+
1.1.1.10.
1.1.1.10.
This leads to some problems, for example with Apache mod_authz_host which does reverse lookups and gets a different answers every time (well 50/50 chance to get either one of the two to be more precise).
Also deployed hosts think their fqdn is of the first type, others the second type. I suppose this is not necessarily a bug but imho having multiple PTR records for the same address is not the best idea either.
||/ Name Version Architecture Description
+++-===
ii maas 2.0.0~beta8+
ii maas-cli 2.0.0~beta8+
un maas-cluster-
ii maas-common 2.0.0~beta8+
ii maas-dhcp 2.0.0~beta8+
ii maas-dns 2.0.0~beta8+
ii maas-proxy 2.0.0~beta8+
ii maas-rack-
ii maas-region-api 2.0.0~beta8+
ii maas-region-
un maas-region-
un python-django-maas <none> <none> (no description available)
un python-maas-client <none> <none> (no description available)
un python-
ii python3-django-maas 2.0.0~beta8+
ii python3-maas-client 2.0.0~beta8+
ii python3-
Related branches
- Mike Pontillo (community): Approve on 2016-07-08
-
Diff: 539 lines (+164/-112)6 files modifiedsrc/maasserver/dns/tests/test_zonegenerator.py (+11/-22)
src/maasserver/dns/zonegenerator.py (+1/-35)
src/maasserver/models/dnsresource.py (+6/-3)
src/maasserver/models/staticipaddress.py (+61/-16)
src/maasserver/models/tests/test_dnsresource.py (+2/-2)
src/maasserver/models/tests/test_staticipaddress.py (+83/-34)
- LaMont Jones (community): Approve on 2016-07-11
-
Diff: 696 lines (+237/-135)6 files modifiedsrc/maasserver/dns/tests/test_zonegenerator.py (+11/-22)
src/maasserver/dns/zonegenerator.py (+12/-38)
src/maasserver/models/dnsresource.py (+6/-3)
src/maasserver/models/staticipaddress.py (+102/-36)
src/maasserver/models/tests/test_dnsresource.py (+2/-2)
src/maasserver/models/tests/test_staticipaddress.py (+104/-34)
| Changed in maas: | |
| status: | New → Triaged |
| LaMont Jones (lamont) wrote : | #1 |
| LaMont Jones (lamont) wrote : | #2 |
For purposes of charming, the apache charm (or whatever) will need to add all of the PTR RRset names to the authorized list, to work around the apache bug.
| LaMont Jones (lamont) wrote : | #3 |
Having said all that, I'm now leaning toward not putting the interface name PTR on the IPs of boot interfaces, since that seems to be the more general mode.
Note however: if multiple names resolve to the same IP, then all of them will be in the PTR RRset. (Since this is a valid and often service-required state.)
| Changed in maas: | |
| milestone: | none → 2.0.0 |
| summary: |
- ambigious reverse DNS lookups because MAAS creates multiple PTR records + [2.0] confusing reverse DNS lookups because MAAS creates multiple PTR + records |
| Changed in maas: | |
| milestone: | 2.0.0 → 2.1.0 |
| Changed in maas: | |
| status: | Triaged → Fix Committed |
| Stefan Fleischmann (sfleischmann) wrote : | #4 |
Thanks for the clarification, I did not notice that MAAS does not create A records for <interface>
By the way here is the debug log output from Apache's error.log:
[Sat Jul 09 11:53:57.366338 2016] [authz_host:error] [pid 26131:tid 139886547891968] [client 10.1.1.1:50694] AH01753: access check of 'test2.maas' to /1.txt failed, reason: unable to get the remote host name
[Sat Jul 09 11:53:57.366520 2016] [authz_core:debug] [pid 26131:tid 139886547891968] mod_authz_
[Sat Jul 09 11:53:57.366602 2016] [authz_core:debug] [pid 26131:tid 139886547891968] mod_authz_
[Sat Jul 09 11:53:57.366754 2016] [authz_core:error] [pid 26131:tid 139886547891968] [client 10.1.1.1:50694] AH01630: client denied by server configuration: /var/www/html/1.txt
| LaMont Jones (lamont) wrote : | #5 |
As landed, the FQDN maps to the "primary" IP, and everything else gets IFACE.FQDN -- with possible multi-address and/or multi-PTR RRs in the RRset, which makes sense.
| Changed in maas: | |
| milestone: | 2.0.1 → next |
| Changed in maas: | |
| status: | Fix Committed → Fix Released |
| Changed in maas: | |
| milestone: | next → none |
This will be fixed by adding A/AAAA RRsets for the interface names (first format above). If the second format (non-interface) is given to mod_authz_host, then either answer will work.
Having said that, this is actually a bug in mod_authz_host, which should grant access if ANY of the PTR RRset names matches the list of allowed hosts.