[Freeipa-devel] [PATCH] 302 Stricter IP network validator in dnszone-add command

Martin Kosek mkosek at redhat.com
Thu Sep 13 12:49:42 UTC 2012 

On 09/05/2012 01:02 PM, Jan Cholasta wrote:
> Dne 5.9.2012 12:48, Martin Kosek napsal(a):
>> On 09/05/2012 12:36 PM, Jan Cholasta wrote:
>>> Dne 5.9.2012 12:22, Petr Spacek napsal(a):
>>>> On 09/05/2012 11:30 AM, Jan Cholasta wrote:
>>>>> Dne 5.9.2012 10:04, Martin Kosek napsal(a):
>>>>>> We allowed IP addresses without network specification which lead
>>>>>> to unexpected results when the zone was being created. We should rather
>>>>>> strictly require the prefix/netmask specifying the IP network that
>>>>>> the reverse zone should be created for. This is already done in
>>>>>> Web UI.
>>>>>>
>>>>>> A unit test exercising this new validation was added.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/2461
>>>>>>
>>>>>
>>>>> I don't like this much. I would suggest using CheckedIPAddress and not
>>>>> forcing
>>>>> the user to enter the prefix length instead.
>>>>>
>>>>> CheckedIPAddress uses a sensible default prefix length if one is not
>>>>> specified
>>>>> (class-based for IPv4, /64 for IPv6) as opposed to IPNetwork (/32 for
>>>>> IPv4,
>>>>> /128 for IPv6 - this causes the erroneous reverse zones to be created as
>>>>> described in the ticket).
>>>>>
>>>> Hello,
>>>>
>>>> I don't like automatic netmask guessing. I have met class-based guessing
>>>> in Windows (XP?) and I was forced to overwrite default mask all the time
>>>> ...
>>>
>>> If there was no guessing, you would have to write the netmask anyway, so I
>>> don't see any harm in guessing here.
>>>
>>>>
>>>> IMHO there is no "sensible default prefix" in real world. I sitting on
>>>> network with /23 prefix right now. Also, I have never seen 10.x network
>>>> with /8 prefix.
>>>>
>>>
>>> While this might be true for IPv4 in some cases, /64 is perfectly sensible for
>>> IPv6. Also, I have never seen 192.168.x.x network with non-/24 prefix.
>>>
>>> Honza
>>>
>>
>> While this may be true for 192.168.x.x, it does not apply for 10.x.x.x networks
>> as Petr already pointed out. I don't think that there will be many people
>> expecting that a reverse zone of 10.0.0.0/24 would be created.
> 
> And they would be correct, because the default prefix length for a class A
> network is /8, not /24.
> 
>>
>> And since FreeIPA is mainly deployed to internal networks, I assume this will
>> be the case of most users.
>>
>> Martin
>>
> 
> OK, but what about IPv6? Correct me if I'm wrong, but the prefix length is
> going to be /64 99% of the time for IPv6.
> 
> The installer uses /24 for IPv4 addresses and /64 for IPv6 addresses, maybe
> this should be used as a default here as well.
> 
> Honza
> 

In the end, I choose a more liberal approach and instead of defining a more
stricter validator for IPv4 only I rather used approach already implemented in
the installers, i.e. default length of network prefix is 24 for IPv4 and 64 for
IPv6.

Updated patch attached.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-302-2-use-default-reverse-zone-consistently.patch
Type: text/x-patch
Size: 7040 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120913/8cd3bddf/attachment.bin>

More information about the Freeipa-devel mailing list