Foreman 2.0.1: Nsupdate, bind, PTR record creation for /27 subnet fails silently

Hello,
my Name is Fabian and this is my very first Topic here in the community.

We started to test foreman in our department for provisioning virtual machines on vmware-infrastructure and are making really good progress so far.

In a proof of concept in a seperated private space earlier everything worked fine, we started a “pilot” in our infrastructure we noticed that foreman works without throwing errors, but the PTR records are not there.

I have an idea that this is a problem of the smart proxy not using the sub-net notation for nsupdate,
but i want to see if you guys with more experience think this is really the issue.

TLDR:
PTR record creation in /27 subnet fails silent
Is this a bug? is this a “missing feature”?
Can i do something about it?
Is there a way to change the Nameserver configuration (I can do nothing about the IP-Subnet… we only have this Subnet delegated in that Datacenter)?

Thank you very much for any insights/ideas!

The long story:
Problem:
On machine creation in foreman everything looks fine, but PTR records are not created.
Foreman does not throw an error about not beeing able to create PTR records.

The Subnet were the machine is created is a 10.1.0.192/27

The A record is created and for A and PTR records the same smart proxy is used. nsupdate works. (See logs below)

Expected outcome:
On Machine creation PTR and A records gets created successfully or foreman throws an error.

Foreman and Proxy versions:
Foreman 2.0.1
Foreman-proxy 2.0.1

We install foreman “the Hard way” with ansible on our own. But its working with exception of these PTR records in the /27 Subnet… so I think the installation is not the problem here… but please ask everything, i will provide more information when needed.

Foreman and Proxy plugin versions:
I will provide them, but i do not know how to get these versions…

Distribution and version:
Ubuntu 18.04

Foreman architecture

  • Subnet A (10.0.0.0/24)
    • Foreman
    • with smart-proxy on it for TFTP and DNS (nsupdate vs external BIND)
  • Subnet B (10.1.0.192/27) (machine will be created here)
    • Smart Proxy with DHCP configured

Other relevant data:

Smart Proxy log excerpt:

2020-07-01T09:01:09  [D] accept: 10.0.0.15:49946
2020-07-01T09:01:09  [D] Rack::Handler::WEBrick is invoked.
2020-07-01T09:01:09 4b56b050 [I] Started POST /dns/
2020-07-01T09:01:09 4b56b050 [D] verifying remote client 10.0.0.15 against trusted_hosts ["foreman.redacted.net"]
2020-07-01T09:01:09 4b56b050 [D] Finished DNS query getresources for 'roger-mcfaul.redacted.net' in 2.26 ms
2020-07-01T09:01:09 4b56b050 [D] running /usr/bin/nsupdate -k /etc/foreman-proxy/dns.key
2020-07-01T09:01:09 4b56b050 [D] nsupdate: executed - server nameserver.redacted.net
2020-07-01T09:01:09 4b56b050 [D] nsupdate: executed - update add roger-mcfaul.redacted.net. 86400 A 10.1.0.211
2020-07-01T09:01:09 4b56b050 [I] Finished POST /dns/ with 200 (19.3 ms)
2020-07-01T09:01:09  [D] close: 10.0.0.15:49946
2020-07-01T09:01:09  [D] accept: 10.0.0.15:49948
2020-07-01T09:01:09  [D] Rack::Handler::WEBrick is invoked.
2020-07-01T09:01:09 4b56b050 [I] Started POST /dns/
2020-07-01T09:01:09 4b56b050 [D] verifying remote client 10.0.0.15 against trusted_hosts ["foreman.redacted.net"]
2020-07-01T09:01:09 4b56b050 [D] Finished DNS query getresources for '211.0.1.10.in-addr.arpa' in 2.51 ms
2020-07-01T09:01:09 4b56b050 [D] running /usr/bin/nsupdate -k /etc/foreman-proxy/dns.key
2020-07-01T09:01:09 4b56b050 [D] nsupdate: executed - server nameserver.redacted.net
2020-07-01T09:01:09 4b56b050 [D] nsupdate: executed - update add 211.0.1.10.in-addr.arpa. 86400 PTR roger-mcfaul.redacted.net
2020-07-01T09:01:09 4b56b050 [I] Finished POST /dns/ with 200 (18.54 ms)
2020-07-01T09:01:09  [D] close: 10.0.0.15:49948

failing Manual nsupdate like foreman does this:

nsupdate -k /etc/foreman-proxy/dns.key:
> server nameserver.redacted.net
> update add 211.0.1.10.in-addr.arpa. 86400 PTR roger-mcfaul.redacted.net
> send

Return value: 0
but displays “could not find enclosing zone”, no PTR record created

Working manual nsupdate

nsupdate -k /etc/foreman-proxy/dns.key:
> server nameserver.redacted.net
> update add 211.192/27.0.1.10.in-addr.arpa. 86400 PTR roger-mcfaul.redacted.net
> send

Return value: 0, no error message displayed, PTR Record present

I don’t think this is valid. With IPv4 there are no /27 reverse zones, only /8 (10.in-addr.arpa), /16 (1.10.in-addr.arpa) and /24 (0.1.10.in-addr.arpa). Out there there are CNAME hacks, but we don’t support those. The recommended solution is that Foreman is able to write to the /24 reverse.

Thank you very much for your answer!

Unfortunately our department only has the /27 delegated and has access to the nameserver with the corresponding Reverse Zone only.

What do you think, has a change to implement a fix for this the chance to get merged to the proxy? Then we maybe would have look to do this.

For the moment i have to think of another way on creation of the reverse records.

If someone has an idea how to solve this, i am very happy to read it!

Some links to describe the CNAME hacks mentioned:

I’m aware of the hacks, but I don’t think anyone has considered implementing this. You would need some sort of domain map.

https://github.com/theforeman/smart-proxy/blob/develop/modules/dns/dns_api.rb is the API which then passes it to common:


You would need to implement some mapping there I think. Probably store a config in YAML somewhere:

mapping:
  10.1.0.192/27: 192/27.0.1.10.in-addr-arpa

Then do a lookup in the config and rewrite the FQDN if a match is found.

Thank you very much for your hints.

I discussed this in our department, but for now we do not have anyone with the skill to implement this change.

It is a sad thing, but unfortunately currently not to be changed

You can still hire somebody to do the change for you. Let me know if you want contacts.