fix subtree validation

miesi-ionos · miesi-ionos · commit 002296afe9fa · 2025-08-04T22:55:26.000+02:00
diff --git a/dim-testsuite/t/rr-create-dname-1.t b/dim-testsuite/t/rr-create-dname-1.t
@@ -90,9 +90,9 @@ $ ndcli create rr hr.dept.old.example.com. a 1.2.3.8 -q
 
 # Cleanup
 $ ndcli delete zone old.example.com --cleanup
-INFO - Deleting RR hr.dept.old.example.com A 1.2.3.8 from zone old.example.com
-INFO - Freeing IP 1.2.3.8 from layer3domain default
 INFO - Deleting RR conflict A 1.2.3.4 from zone old.example.com
 INFO - Freeing IP 1.2.3.4 from layer3domain default
+INFO - Deleting RR hr.dept A 1.2.3.8 from zone old.example.com
+INFO - Freeing IP 1.2.3.8 from layer3domain default
 INFO - Deleting RR test DNAME test.new.example.com. from zone old.example.com
 $ ndcli delete zone new.example.com --cleanup
diff --git a/dim/dim/dns.py b/dim/dim/dns.py
@@ -195,10 +195,17 @@ def check_new_rr(new_rr):
                 .filter(~RR.type.in_(('NS', 'DS'))).count():
             raise InvalidParameterError('%s cannot be created because other RRs with the same name exist' % new_rr)
         # Check for conflicting records under the DNAME subtree
-        dname_prefix = new_rr.name[:-1] if new_rr.name.endswith('.') else new_rr.name
-        if _same_view_or_different_zone(new_rr)\
-                .filter(RR.name.like(dname_prefix + '.%')).count():
-            raise InvalidParameterError('%s cannot be created because RRs exist under the DNAME subtree' % new_rr)
+        # Records under the DNAME subtree are those that are subdomains of the DNAME
+        dname_name = new_rr.name if new_rr.name.endswith('.') else new_rr.name + '.'
+        
+        # Find all records that could be under this DNAME subtree
+        all_records = _same_view_or_different_zone(new_rr).filter(RR.name != dname_name).all()
+        
+        for record in all_records:
+            record_name = record.name if record.name.endswith('.') else record.name + '.'
+            # Check if this record is a subdomain of the DNAME
+            if record_name != dname_name and record_name.endswith('.' + dname_name):
+                raise InvalidParameterError('%s cannot be created because RRs exist under the DNAME subtree' % new_rr)
     elif new_rr.type == 'PTR':
         if _same_view_or_different_zone(new_rr)\
                 .filter(RR.type == 'CNAME').filter(RR.name == new_rr.name).count():
@@ -214,8 +221,12 @@ def check_new_rr(new_rr):
         # Check if new record is under a DNAME subtree
         dname_records = _same_view_or_different_zone(new_rr).filter(RR.type == 'DNAME').all()
         for dname in dname_records:
-            dname_prefix = dname.name[:-1] if dname.name.endswith('.') else dname.name
-            if new_rr.name.startswith(dname_prefix + '.'):
+            # Normalize names by ensuring they end with a dot
+            dname_name = dname.name if dname.name.endswith('.') else dname.name + '.'
+            new_rr_name = new_rr.name if new_rr.name.endswith('.') else new_rr.name + '.'
+            
+            # Check if the new record is a subdomain under the DNAME
+            if new_rr_name != dname_name and new_rr_name.endswith('.' + dname_name):
                 raise InvalidParameterError('%s cannot be created under DNAME subtree %s' % (new_rr, dname.name))
 
 
