[Freeipa-devel] [PATCH] 302 Stricter IP network validator in dnszone-add command

Wed Sep 5 11:06:36 UTC 2012

On Wed, Sep 05, 2012 at 01:02:35PM +0200, Jan Cholasta wrote:
> Dne 5.9.2012 12:48, Martin Kosek napsal(a):
> >On 09/05/2012 12:36 PM, Jan Cholasta wrote:
> >>Dne 5.9.2012 12:22, Petr Spacek napsal(a):
> >>>On 09/05/2012 11:30 AM, Jan Cholasta wrote:
> >>>>Dne 5.9.2012 10:04, Martin Kosek napsal(a):
> >>>>>We allowed IP addresses without network specification which lead
> >>>>>to unexpected results when the zone was being created. We should rather
> >>>>>strictly require the prefix/netmask specifying the IP network that
> >>>>>the reverse zone should be created for. This is already done in
> >>>>>Web UI.
> >>>>>
> >>>>>A unit test exercising this new validation was added.
> >>>>>
> >>>>>https://fedorahosted.org/freeipa/ticket/2461
> >>>>>
> >>>>
> >>>>I don't like this much. I would suggest using CheckedIPAddress and not
> >>>>forcing
> >>>>the user to enter the prefix length instead.
> >>>>
> >>>>CheckedIPAddress uses a sensible default prefix length if one is not
> >>>>specified
> >>>>(class-based for IPv4, /64 for IPv6) as opposed to IPNetwork (/32 for
> >>>>IPv4,
> >>>>/128 for IPv6 - this causes the erroneous reverse zones to be created as
> >>>>described in the ticket).
> >>>>
> >>>Hello,
> >>>
> >>>I don't like automatic netmask guessing. I have met class-based guessing
> >>>in Windows (XP?) and I was forced to overwrite default mask all the time
> >>>...
> >>
> >>If there was no guessing, you would have to write the netmask anyway, so I
> >>don't see any harm in guessing here.
> >>
> >>>
> >>>IMHO there is no "sensible default prefix" in real world. I sitting on
> >>>network with /23 prefix right now. Also, I have never seen 10.x network
> >>>with /8 prefix.
> >>>
> >>
> >>While this might be true for IPv4 in some cases, /64 is perfectly sensible for
> >>IPv6. Also, I have never seen 192.168.x.x network with non-/24 prefix.
> >>
> >>Honza
> >>
> >
> >While this may be true for 192.168.x.x, it does not apply for 10.x.x.x networks
> >as Petr already pointed out. I don't think that there will be many people
> >expecting that a reverse zone of 10.0.0.0/24 would be created.
> 
> And they would be correct, because the default prefix length for a
> class A network is /8, not /24.
> 
> >
> >And since FreeIPA is mainly deployed to internal networks, I assume this will
> >be the case of most users.
> >
> >Martin
> >
> 
> OK, but what about IPv6? Correct me if I'm wrong, but the prefix
> length is going to be /64 99% of the time for IPv6.

You are right, IPv6 networks could have default /64 prefix. However as I wrote
in different mail, I don't recommend to use default IPv4 prefix at all because
FreeIPA targets for company environments where /24 is not so common, not for
home environments.

> The installer uses /24 for IPv4 addresses and /64 for IPv6
> addresses, maybe this should be used as a default here as well.

Regards, Adam

-- 
Adam Tkac, Red Hat, Inc.