Fix creation of reverse DNS zones.

Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by
default instead of using the netmask from the --ip-address option.

Custom reverse DNS zone can be specified using new --reverse-zone
option, which replaces the old --ip-address netmask way of creating
reverse zones.

The reverse DNS zone name is printed to the user during the install.

ticket 1398

install/tools/ipa-dns-install

@@ -38,14 +38,14 @@ def parse_options():
     parser.add_option("-d", "--debug", dest="debug", action="store_true",
                       default=False, help="print debugging information")
     parser.add_option("--ip-address", dest="ip_address",
-                      type="ip", ip_netmask=True, ip_local=True, help="Master Server IP Address")
+                      type="ip", ip_local=True, help="Master Server IP Address")
     parser.add_option("--forwarder", dest="forwarders", action="append",
                       type="ip", help="Add a DNS forwarder")
     parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
                       default=False, help="Do not add any DNS forwarders, use root servers instead")
-    parser.add_option("--no-reverse", dest="no_reverse",
+    parser.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use")
-                      action="store_true", default=False,
+    parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
-                      help="Do not create reverse DNS zone")
+                      default=False, help="Do not create reverse DNS zone")
     parser.add_option("--zonemgr", dest="zonemgr", 
                       help="DNS zone manager e-mail address. Defaults to root")
     parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
@@ -56,6 +56,8 @@ def parse_options():
 
     if options.forwarders and options.no_forwarders:
         parser.error("You cannot specify a --forwarder option together with --no-forwarders")
+    elif options.reverse_zone and options.no_reverse:
+        parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
 
     if options.unattended:
         if not options.forwarders and not options.no_forwarders:
@@ -104,26 +106,28 @@ def main():
 
     # Check we have a public IP that is associated with the hostname
     if options.ip_address:
-        ip_address = options.ip_address
+        ip = options.ip_address
     else:
         hostaddr = resolve_host(api.env.host)
-        ip_address = hostaddr and ipautil.CheckedIPAddress(hostaddr)
+        ip = hostaddr and ipautil.CheckedIPAddress(hostaddr)
 
     try:
-        verify_ip_address(ip_address)
+        verify_ip_address(ip)
     except Exception, e:
-        print "Error: Invalid IP Address %s: %s" % (ip_address, e)
+        print "Error: Invalid IP Address %s: %s" % (ip, e)
-        ip_address = None
+        ip = None
 
-    if not ip_address:
+    if not ip:
         if options.unattended:
             sys.exit("Unable to resolve IP address for host name")
         else:
-            ip_address = read_ip_address(api.env.host, fstore)
+            ip = read_ip_address(api.env.host, fstore)
-    ip_prefixlen = ip_address.prefixlen
+    ip_address = str(ip)
-    ip_address = str(ip_address)
     logging.debug("will use ip_address: %s\n", ip_address)
 
+    if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
+        sys.exit(1)
+
     if options.no_forwarders:
         dns_forwarders = ()
     elif options.forwarders:
@@ -161,13 +165,6 @@ def main():
                 sys.exit("\nPassword is not valid!")
             bind.dm_password = read_password("Directory Manager", confirm=False, validate=False)
 
-    create_reverse = True
-    if options.unattended:
-        create_reverse = not options.no_reverse
-    elif not options.no_reverse:
-        create_reverse = bindinstance.create_reverse()
-    bind.setup(api.env.host, ip_address, ip_prefixlen, api.env.realm, api.env.domain, dns_forwarders, conf_ntp, create_reverse, zonemgr=options.zonemgr)
-
     if bind.dm_password:
         api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=bind.dm_password)
     else:
@@ -175,6 +172,19 @@ def main():
         ccache = krbV.default_context().default_ccache().name
         api.Backend.ldap2.connect(ccache)
 
+    if options.reverse_zone:
+        reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
+    else:
+        reverse_zone = bindinstance.find_reverse_zone(ip)
+        if reverse_zone is None and not options.no_reverse:
+            reverse_zone = bindinstance.get_reverse_zone_default(ip)
+            if not options.unattended and bindinstance.create_reverse():
+                reverse_zone = bindinstance.read_reverse_zone(reverse_zone, ip)
+
+    if reverse_zone is not None:
+        print "Using reverse zone %s" % reverse_zone
+
+    bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain, dns_forwarders, conf_ntp, reverse_zone, zonemgr=options.zonemgr)
     bind.create_instance()
 
 

install/tools/ipa-replica-install

@@ -59,6 +59,7 @@ def parse_options():
                       type="ip", help="Add a DNS forwarder")
     parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
                       default=False, help="Do not add any DNS forwarders, use root servers instead")
+    parser.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use")
     parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
                       default=False, help="Do not create reverse DNS zone")
     parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
@@ -84,12 +85,16 @@ def parse_options():
             parser.error("You cannot specify a --forwarder option without the --setup-dns option")
         if options.no_forwarders:
             parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
+        if options.reverse_zone:
+            parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
         if options.no_reverse:
             parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
     elif options.forwarders and options.no_forwarders:
         parser.error("You cannot specify a --forwarder option together with --no-forwarders")
     elif not options.forwarders and not options.no_forwarders:
         parser.error("You must specify at least one --forwarder option or --no-forwarders option")
+    elif options.reverse_zone and options.no_reverse:
+        parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
 
     return safe_options, options, args[0]
 
@@ -183,22 +188,23 @@ def install_bind(config, options):
         sys.exit("Unable to resolve IP address for host name")
     ip = installutils.parse_ip_address(ip_address)
     ip_address = str(ip)
-    ip_prefixlen = ip.prefixlen
 
-    create_reverse = True
+    if options.reverse_zone:
-    if options.unattended:
+        if not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
-        # In unattended mode just use the cmdline flag
+            sys.exit(1)
-        create_reverse = not options.no_reverse
+        reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
     else:
-        if options.no_reverse:
+        reverse_zone = bindinstance.find_reverse_zone(ip)
-            create_reverse = False
+        if reverse_zone is None and not options.no_reverse:
-        else:
+            reverse_zone = bindinstance.get_reverse_zone_default(ip)
-            # In interactive mode, if the flag was not explicitly 
+            if not options.unattended and bindinstance.create_reverse():
-            # specified, ask the user
+                reverse_zone = bindinstance.read_reverse_zone(reverse_zone, ip)
-            create_reverse = bindinstance.create_reverse()
 
-    bind.setup(config.host_name, ip_address, ip_prefixlen, config.realm_name,
+    if reverse_zone is not None:
-               config.domain_name, forwarders, options.conf_ntp, create_reverse)
+        print "Using reverse zone %s" % reverse_zone
+
+    bind.setup(config.host_name, ip_address, config.realm_name,
+               config.domain_name, forwarders, options.conf_ntp, reverse_zone)
     bind.create_instance()
 
 def install_dns_records(config, options):
@@ -221,11 +227,11 @@ def install_dns_records(config, options):
         sys.exit("Unable to resolve IP address for host name")
     ip = installutils.parse_ip_address(ip_address)
     ip_address = str(ip)
-    ip_prefixlen = ip.prefixlen
+    reverse_zone = bindinstance.find_reverse_zone(ip)
 
-    bind.add_master_dns_records(config.host_name, ip_address, ip_prefixlen,
+    bind.add_master_dns_records(config.host_name, ip_address,
                                 config.realm_name, config.domain_name,
-                                options.conf_ntp)
+                                reverse_zone, options.conf_ntp)
 
     #set it back to the default
     api.Backend.ldap2.disconnect()

install/tools/ipa-replica-prepare

@@ -27,7 +27,7 @@ import krbV
 
 from ipapython import ipautil
 from ipaserver.install import bindinstance, dsinstance, installutils, certs
-from ipaserver.install.bindinstance import add_zone, add_reverse_zone, add_fwd_rr, add_ptr_rr, dns_zone_exists
+from ipaserver.install.bindinstance import add_zone, add_reverse_zone, add_fwd_rr, add_ptr_rr
 from ipaserver.install.replication import check_replication_plugin, enable_replication_version_checking
 from ipaserver.install.installutils import resolve_host
 from ipaserver.plugins.ldap2 import ldap2
@@ -54,8 +54,11 @@ def parse_options():
     parser.add_option("-p", "--password", dest="password", 
                       help="Directory Manager (existing master) password")
     parser.add_option("--ip-address", dest="ip_address",
-                      type="ip", ip_netmask=True,
+                      type="ip", help="Add A and PTR records of the future replica")
-                      help="Add A and PTR records of the future replica")
+    parser.add_option("--reverse-zone", dest="reverse_zone",
+                      help="The reverse DNS zone to use")
+    parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
+                      default=False, help="Do not create reverse DNS zone")
     parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
                       help="Location of CA PKCS#12 file, default /root/cacert.p12")
     parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
@@ -63,6 +66,14 @@ def parse_options():
 
     options, args = parser.parse_args()
 
+    if not options.ip_address:
+        if options.reverse_zone:
+            parser.error("You cannot specify a --reverse-zone option without the --ip-address option")
+        if options.no_reverse:
+            parser.error("You cannot specify a --no-reverse option without the --ip-address option")
+    elif options.reverse_zone and options.no_reverse:
+        parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
+
     # If any of the PKCS#12 options are selected, all are required. Create a
     # list of the options and count it to enforce that all are required without
     # having a huge set of it blocks.
@@ -255,6 +266,8 @@ def main():
         if not bindinstance.dns_container_exists(api.env.host, api.env.basedn):
             print "You can't add a DNS record because DNS is not set up."
             sys.exit(1)
+        if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
+            sys.exit(1)
 
     if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
         sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
@@ -424,31 +437,21 @@ def main():
 
         ip = options.ip_address
         ip_address = str(ip)
-        ip_prefixlen = ip.prefixlen
 
-        if ip.defaultnet:
+        if options.reverse_zone:
-            revzone = ip.reverse_dns
+            reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
-            if ip.version == 4:
+        else:
-                prefix = 32
+            reverse_zone = bindinstance.find_reverse_zone(ip)
-                dec = 8
+            if reverse_zone is None and not options.no_reverse:
-            elif ip.version == 6:
+                reverse_zone = bindinstance.get_reverse_zone_default(ip)
-                prefix = 128
-                dec = 4
-
-            while prefix > 0:
-                dummy, dot, revzone = revzone.partition('.')
-                prefix = prefix - dec
-                if dns_zone_exists(revzone):
-                    break
-
-            if prefix > 0:
-                ip_prefixlen = prefix
-            else:
-                add_reverse_zone(ip_address, ip_prefixlen)
 
         add_zone(domain)
         add_fwd_rr(domain, name, ip_address)
-        add_ptr_rr(ip_address, ip_prefixlen, replica_fqdn)
+
+        if reverse_zone is not None:
+            print "Using reverse zone %s" % reverse_zone
+            add_reverse_zone(reverse_zone)
+            add_ptr_rr(reverse_zone, ip_address, replica_fqdn)
 
 try:
     if not os.geteuid()==0:

install/tools/ipa-server-install

@@ -100,7 +100,7 @@ def parse_options():
                       help="File containing PKCS#10 of the external CA chain")
     parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
     parser.add_option("--ip-address", dest="ip_address",
-                      type="ip", ip_netmask=True, ip_local=True,
+                      type="ip", ip_local=True,
                       help="Master Server IP Address")
     parser.add_option("--setup-dns", dest="setup_dns", action="store_true",
                       default=False, help="configure bind with our zone")
@@ -108,6 +108,7 @@ def parse_options():
                       type="ip", help="Add a DNS forwarder")
     parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
                       default=False, help="Do not add any DNS forwarders, use root servers instead")
+    parser.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use")
     parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
                       default=False, help="Do not create reverse DNS zone")
     parser.add_option("--zonemgr", action="callback", callback=zonemgr_callback,
@@ -154,10 +155,14 @@ def parse_options():
             parser.error("You cannot specify a --forwarder option without the --setup-dns option")
         if options.no_forwarders:
             parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
+        if options.reverse_zone:
+            parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
         if options.no_reverse:
             parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
     elif options.forwarders and options.no_forwarders:
         parser.error("You cannot specify a --forwarder option together with --no-forwarders")
+    elif options.reverse_zone and options.no_reverse:
+        parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
 
     if options.uninstall:
         if (options.realm_name or
@@ -552,7 +557,7 @@ def main():
     master_password = ""
     dm_password = ""
     admin_password = ""
-    create_reverse = True
+    reverse_zone = None
 
     # check bind packages are installed
     if options.setup_dns:
@@ -631,7 +636,9 @@ def main():
         ip = read_ip_address(host_name, fstore)
         logging.debug("read ip_address: %s\n" % str(ip))
     ip_address = str(ip)
-    ip_prefixlen = ip.prefixlen
+
+    if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
+        sys.exit(1)
 
     print "The IPA Master Server will be configured with"
     print "Hostname:    " + host_name
@@ -896,18 +903,17 @@ def main():
     # Create a BIND instance
     bind = bindinstance.BindInstance(fstore, dm_password)
     if options.setup_dns:
-        if options.unattended:
+        if options.reverse_zone:
-            # In unattended mode just use the cmdline flag
+            reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
-            create_reverse = not options.no_reverse
+        elif not options.no_reverse:
-        else:
+            reverse_zone = bindinstance.get_reverse_zone_default(ip)
-            if options.no_reverse:
+            if not options.unattended and bindinstance.create_reverse():
-                create_reverse = False
+                reverse_zone = bindinstance.read_reverse_zone(reverse_zone, ip)
-            else:
-                # In interactive mode, if the flag was not explicitly
-                # specified, ask the user
-                create_reverse = bindinstance.create_reverse()
 
-    bind.setup(host_name, ip_address, ip_prefixlen, realm_name, domain_name, dns_forwarders, options.conf_ntp, create_reverse, zonemgr=options.zonemgr)
+        if reverse_zone is not None:
+            print "Using reverse zone %s" % reverse_zone
+
+    bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders, options.conf_ntp, reverse_zone, zonemgr=options.zonemgr)
     if options.setup_dns:
         api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password)
 

install/tools/man/ipa-dns-install.1

@@ -40,6 +40,9 @@ A forwarder is a DNS server where queries for a specific non\-resolvable address
 \fB\-\-no\-forwarders\fR
 Do not add any DNS forwarders, send non\-resolvable addresses to the DNS root servers.
 .TP
+\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
+The reverse DNS zone to use
+.TP
 \fB\-\-no\-reverse\fR
 Do not create reverse DNS zone
 .TP

install/tools/man/ipa-replica-install.1

@@ -56,6 +56,9 @@ the \fB\-\-no\-forwarders\fR option is specified.
 \fB\-\-no\-forwarders\fR
 Do not add any DNS forwarders. Root DNS servers will be used instead.
 .TP
+\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
+The reverse DNS zone to use
+.TP
 \fB\-\-no\-reverse\fR
 Do not create reverse DNS zone
 .TP

install/tools/man/ipa-replica-prepare.1

@@ -54,6 +54,12 @@ Directory Manager (existing master) password
 \fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
 IP address of the replica server. If you provide this option, the A and PTR records will be added to the DNS.
 .TP
+\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
+The reverse DNS zone to use
+.TP
+\fB\-\-no\-reverse\fR
+Do not create reverse DNS zone
+.TP
 \fB\-\-ca\fR=\fICA_FILE\fR
 Location of CA PKCS#12 file, default /root/cacert.p12
 .TP

install/tools/man/ipa-server-install.1

@@ -79,6 +79,9 @@ the \fB\-\-no\-forwarders\fR option is specified.
 \fB\-\-no\-forwarders\fR
 Do not add any DNS forwarders. Root DNS servers will be used instead.
 .TP
+\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
+The reverse DNS zone to use
+.TP
 \fB\-\-no\-reverse\fR
 Do not create reverse DNS zone
 .TP

ipaserver/install/bindinstance.py

@@ -60,6 +60,12 @@ def check_inst(unattended):
 
     return True
 
+def normalize_zone(zone):
+    if zone[-1] != '.':
+        return zone + '.'
+    else:
+        return zone
+
 def create_reverse():
     return ipautil.user_input("Do you want to configure the reverse zone?", True)
 
@@ -99,22 +105,6 @@ def dns_container_exists(fqdn, suffix):
 
     return ret
 
-def get_reverse_zone(ip_address_str, ip_prefixlen):
-    ip = netaddr.IPAddress(ip_address_str)
-    items = ip.reverse_dns.split('.')
-
-    if ip.version == 4:
-        pos = 4 - ip_prefixlen / 8
-    elif ip.version == 6:
-        pos = 32 - ip_prefixlen / 4
-    else:
-        raise ValueError('Bad address format?')
-
-    name = '.'.join(items[:pos])
-    zone = '.'.join(items[pos:])
-
-    return unicode(zone), unicode(name)
-
 def dns_zone_exists(name):
     try:
         zone = api.Command.dnszone_show(unicode(name))
@@ -126,6 +116,60 @@ def dns_zone_exists(name):
     else:
         return True
 
+def get_reverse_record_name(zone, ip_address):
+    ip = netaddr.IPAddress(ip_address)
+    rev = '.' + normalize_zone(zone)
+    fullrev = '.' + normalize_zone(ip.reverse_dns)
+
+    if not fullrev.endswith(rev):
+        raise ValueError("IP address does not match reverse zone")
+
+    return fullrev[1:-len(rev)]
+
+def verify_reverse_zone(zone, ip_address):
+    try:
+        get_reverse_record_name(zone, ip_address)
+    except ValueError:
+        print "Invalid reverse zone %s" % zone
+        return False
+
+    return True
+
+def get_reverse_zone_default(ip_address):
+    ip = netaddr.IPAddress(ip_address)
+    items = ip.reverse_dns.split('.')
+
+    if ip.version == 4:
+        items = items[1:]   # /24 for IPv4
+    elif ip.version == 6:
+        items = items[16:]  # /64 for IPv6
+
+    return normalize_zone('.'.join(items))
+
+def find_reverse_zone(ip_address):
+    ip = netaddr.IPAddress(ip_address)
+    zone = normalize_zone(ip.reverse_dns)
+
+    while len(zone) > 0:
+        if dns_zone_exists(zone):
+            return zone
+        foo, bar, zone = zone.partition('.')
+
+    return None
+
+def get_reverse_zone(ip_address):
+    return find_reverse_zone(ip_address) or get_reverse_zone_default(ip_address)
+
+def read_reverse_zone(default, ip_address):
+    while True:
+        zone = ipautil.user_input("Please specify the reverse zone name", default=default)
+        if not zone:
+            return None
+        if verify_reverse_zone(zone, ip_address):
+            break
+
+    return normalize_zone(zone)
+
 def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_address=None,
        update_policy=None):
     if update_policy is None:
@@ -158,9 +202,8 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_addres
         add_ns_rr(name, hostname, dns_backup=None, force=True)
 
 
-def add_reverse_zone(ip_address, ip_prefixlen, ns_hostname=None, ns_ip_address=None,
+def add_reverse_zone(zone, ns_hostname=None, ns_ip_address=None,
         ns_replicas=[], update_policy=None, dns_backup=None):
-    zone, name = get_reverse_zone(ip_address, ip_prefixlen)
     if update_policy is None:
         update_policy = "grant %s krb5-subdomain %s. PTR;" % (api.env.realm, zone)
 
@@ -207,8 +250,8 @@ def add_fwd_rr(zone, host, ip_address):
     elif addr.version == 6:
         add_rr(zone, host, "AAAA", ip_address)
 
-def add_ptr_rr(ip_address, ip_prefixlen, fqdn, dns_backup=None):
+def add_ptr_rr(zone, ip_address, fqdn, dns_backup=None):
-    zone, name = get_reverse_zone(ip_address, ip_prefixlen)
+    name = get_reverse_record_name(zone, ip_address)
     add_rr(zone, name, "PTR", fqdn+".", dns_backup)
 
 def add_ns_rr(zone, hostname, dns_backup=None, force=True):
@@ -288,22 +331,20 @@ class BindInstance(service.Service):
         self.domain = None
         self.host = None
         self.ip_address = None
-        self.ip_prefixlen = None
         self.realm = None
         self.forwarders = None
         self.sub_dict = None
-        self.create_reverse = True
+        self.reverse_zone = None
 
         if fstore:
             self.fstore = fstore
         else:
             self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
-    def setup(self, fqdn, ip_address, ip_prefixlen, realm_name, domain_name, forwarders, ntp, create_reverse, named_user="named", zonemgr=None):
+    def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp, reverse_zone, named_user="named", zonemgr=None):
         self.named_user = named_user
         self.fqdn = fqdn
         self.ip_address = ip_address
-        self.ip_prefixlen = ip_prefixlen
         self.realm = realm_name
         self.domain = domain_name
         self.forwarders = forwarders
@@ -311,7 +352,7 @@ class BindInstance(service.Service):
         self.host_domain = '.'.join(fqdn.split(".")[1:])
         self.suffix = util.realm_to_suffix(self.realm)
         self.ntp = ntp
-        self.create_reverse = create_reverse
+        self.reverse_zone = reverse_zone
 
         if zonemgr:
             self.zonemgr = zonemgr.replace('@','.')
@@ -346,7 +387,7 @@ class BindInstance(service.Service):
             self.step("adding NS record to the zone", self.__add_self_ns)
         else:
             self.step("setting up our zone", self.__setup_zone)
-        if self.create_reverse:
+        if self.reverse_zone is not None:
             self.step("setting up reverse zone", self.__setup_reverse_zone)
         self.step("setting up our own record", self.__add_self)
 
@@ -440,11 +481,11 @@ class BindInstance(service.Service):
 
         # Add forward and reverse records to self
         add_fwd_rr(zone, self.host, self.ip_address)
-        if dns_zone_exists(get_reverse_zone(self.ip_address, self.ip_prefixlen)[0]):
+        if self.reverse_zone is not None and dns_zone_exists(self.reverse_zone):
-            add_ptr_rr(self.ip_address, self.ip_prefixlen, self.fqdn)
+            add_ptr_rr(self.reverse_zone, self.ip_address, self.fqdn)
 
     def __setup_reverse_zone(self):
-        add_reverse_zone(self.ip_address, self.ip_prefixlen, ns_hostname=api.env.host,
+        add_reverse_zone(self.reverse_zone, ns_hostname=api.env.host,
                 ns_ip_address=self.ip_address, dns_backup=self.dns_backup)
 
     def __setup_principal(self):
@@ -501,16 +542,16 @@ class BindInstance(service.Service):
         resolv_fd.write(resolv_txt)
         resolv_fd.close()
 
-    def add_master_dns_records(self, fqdn, ip_address, ip_prefixlen,
+    def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
-                               realm_name, domain_name, ntp=False):
+                               reverse_zone, ntp=False):
         self.fqdn = fqdn
         self.ip_address = ip_address
-        self.ip_prefixlen = ip_prefixlen
         self.realm = realm_name
         self.domain = domain_name
         self.host = fqdn.split(".")[0]
         self.suffix = util.realm_to_suffix(self.realm)
         self.ntp = ntp
+        self.reverse_zone = reverse_zone
 
         self.__add_self()
 
@@ -538,21 +579,12 @@ class BindInstance(service.Service):
         for (type, rdata) in areclist:
             del_rr(zone, host, type, rdata)
 
-            ip = netaddr.IPAddress(rdata)
+            rzone = find_reverse_zone(rdata)
-            rzone = ip.reverse_dns
+            if rzone is not None:
-            record = ''
+                record = get_reverse_record_name(rzone, rdata)
-
+                del_rr(rzone, record, "PTR", fqdn+".")
-            while True:
+                # remove also master NS record from the reverse zone
-                part, dot, rzone = rzone.partition('.')
+                del_rr(rzone, "@", "NS", fqdn+".")
-                if len(rzone) == 0:
-                    break
-                record = (record + '.' + part).lstrip('.')
-
-                if dns_zone_exists(rzone):
-                    del_rr(rzone, record, "PTR", fqdn+".")
-                    # remove also master NS record from the reverse zone
-                    del_rr(rzone, "@", "NS", fqdn+".")
-                    break
 
 
     def uninstall(self):