dnscontrol: Long / MultiString TXT records fail with deSEC

deSEC provider doesn’t allow TXT records with multiple strings, but the service splits long records automatically.

After #947 validation changes, dnscontrol fails validation for long TXT records with ERROR: txt target >255 bytes and AUTOSPLIT not set. Adding AUTOSPLIT to deSEC records (or splitting manually) causes dnscontrol to fail with ERROR: TXT records with multiple strings not supported by desec

Before, long TXT records worked, though the automatically split record caused unnecessary modifications.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 28 (17 by maintainers)

Commits related to this issue

dns/dnscontrol: Update to 3.8.1 Releases since 3.7.0 have a bug that affects many deSEC users with long or multistring TXT records: https://github.com/StackExchange/dnscontrol/issues/996 — committed to pfsense/FreeBSD-ports by decke 3 years ago
deSEC: add support for a different api error response relates to #996 where we had insufficient error output due to unknown api error format — committed to D3luxee/dnscontrol by D3luxee 3 years ago
deSEC: add support for long txt records #996 — committed to D3luxee/dnscontrol by D3luxee 3 years ago
DESEC: Implements support for long / multistring txt records (#1204) * use /auth/account endpoint for token validation this implements the token validation using the /auth/account api endpoint as su... — committed to StackExchange/dnscontrol by D3luxee 3 years ago

Most upvoted comments

Any chance that someone looks into this issue in the forseeable future? This seems to be very close to a fix but like with NS1 the listed “maintainer” @D3luxee does not seem to maintain the implementation any longer. At least he didn’t participate in the discussion on this issue which is now >6 months old. (And this is not to be understood as accusation but more an observation!)

Not being able to manage TXT records with deSEC renders this highly interesting DNS provider close to unsusable unfortunately…

I will take a look into this in the next days, i was very busy over the last months and had no time left. Now i got vaccation and can afford to spend some time on this.

D3luxee on Jul 3, 2021

I think its working now the provider can create, update and delete long / multistring txt records now. Please build and test the long_txt branch here: https://github.com/D3luxee/dnscontrol/tree/long_txt

D3luxee on Jul 7, 2021

@tlimoncelli – sorry, it’s not working. I never wanted to dive that deep into Go and dnscontrol, but in order to read the error (that is according to @peterthomassen always included in the response body) I cleaned protocol.go:

diff --git a/providers/desec/protocol.go b/providers/desec/protocol.go
index 48440144..cb20b376 100644
--- a/providers/desec/protocol.go
+++ b/providers/desec/protocol.go
@@ -208,12 +208,7 @@ retry:
                        time.Sleep(500 * time.Millisecond)
                        goto retry
                }
-               var errResp errorResponse
-               err = json.Unmarshal(bodyString, &errResp)
-               if err == nil {
-                       return bodyString, fmt.Errorf("http status %d %s details: %s", resp.StatusCode, resp.Status, errResp.Detail)
-               }
-               return bodyString, fmt.Errorf("http status %d %s, the api does not provide more information", resp.StatusCode, resp.Status)
+               return bodyString, fmt.Errorf("http status: (%d) %s\nDetails: %s", resp.StatusCode, resp.Status, bodyString)
        }
        //time.Sleep(334 * time.Millisecond)
        return bodyString, nil

This gives the error message: [{"non_field_errors":["Data for TXT records must be given using quotation marks."]},{"non_field_errors":["Data for TXT records must be given using quotation marks."]}]

So, again, TXT records need to be enclosed in ".

diff --git a/providers/desec/convert.go b/providers/desec/convert.go
index 45859a0a..c42703ca 100644
--- a/providers/desec/convert.go
+++ b/providers/desec/convert.go
@@ -63,7 +63,7 @@ func recordsToNative(rcs []*models.RecordConfig, origin string) []resourceRecord
                                Records: []string{r.GetTargetCombined()},
                        }
                        if r.Type == "TXT" {
-                               zr.Records = []string{r.GetTargetField()}
+                               zr.Records = []string{`"` + r.GetTargetField()+ `"`}
                        }
                        zrs = append(zrs, zr)
                        //keys[key] = &zr   // This didn't work.

And this, finally, succeeds in my case for DKIM records written in that way in dnsconfig.js

TXT("google._domainkey", "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgMNryBTnQaCBAvdbfeyslPJ0wdDNTZNLUxQ5YaSCIz8U+75LATZWTiJQm5Pa/qnMHgbK14GnM3dOZTgrPsLZyEnKCoKZ4/jMTgJWsZo+0Q4aEwwjKTvWM2Q+DdMVtIFo4hbgwF3W31FvFDkDJJLx7vYh80zdXKju4bCVpNRYhECpS57ZfJLQQM2WbTZgUduugwkPRqT0qjnOZhsEQkIud5dbikrkOThsbKxPAA64WbLPnCzRnKYtmRklEPMixqXcnMkbrgb9FSezwRozZY06NMV8EzA+vgLFhXtm2xObaXXTBsK6AACuRvJ1DInb+/u4bGNXXqT7tajflRodfVT5xQIDAQAB")

I guess it’s not well coded, but it shows us the direction.

xbra on Mar 15, 2021

I guess, we are getting closer. dnscontrol preview succeeds but every TXT wants to be modified now, e.g.

MODIFY TXT secret.domain: ("\"google-site-verification=9Mnh...\"" ttl=3600) -> ("google-site-verification=9Mnh..." ttl=3600)
MODIFY TXT google._domainkey.secret.domain: ("\"v=DKIM1; k=rsa; p=MIIB...7ji" "M\" \"RUx9...AQAB\"" ttl=3600) -> ("v=DKIM1; k=rsa; p=MIIB...7jiM" "RUx9...AQAB" ttl=3600)

To my mind, the provider is missing the correct string syntax with additional \" – see documentation from above and ["\"test value1\"","\"value2\""]

The full error of dnscontrol push is…

FAILURE! failed create rrset (deSEC): http status 400 400 Bad Request, the api does not provide more information

xbra on Dec 18, 2020