search

StackExchange / dnscontrol

Infrastructure as code for DNS!
https://dnscontrol.org/
MIT License
3.13k stars 397 forks source link

IGNORE_NAME with root record #1106

Closed net47 closed 3 years ago

net47 commented 3 years ago

I can use IGNORE_NAME to successfully ignore any subdomain, which is fine. But how can I ignore the root record ("@")?

IGNORE_NAME(''), is not working, the root record gets deleted:

******************** Domain: example.com
----- Getting nameservers from: gcdns_example
----- DNS Provider: gcdns_example...1 correction
#1: DELETE A example.com 1.1.1.1 ttl=60

SUCCESS!
tlimoncelli commented 3 years ago

Interesting bug! Does IGNORE_NAME('@') work?

net47 commented 3 years ago

Interesting bug! Does IGNORE_NAME('@') work?

Nope, error:

******************** Domain: example.com
----- Getting nameservers from: gcdns_example
----- DNS Provider: gcdns_example...ERROR
Error getting corrections: incdiff error: trying to update/add IGNORE_NAMEd record: @ TXT
net47 commented 3 years ago

@tlimoncelli any hints how to work-around or resolve this issue? Many thanks!

tlimoncelli commented 3 years ago

I can reproduce the problem in PR https://github.com/StackExchange/dnscontrol/pull/1118

tlimwork5:~/git/dnscontrol/integrationTest$ export BIND_DOMAIN='example.com'
tlimwork5:~/git/dnscontrol/integrationTest$ go test -v -verbose -provider BIND -start 6 -end 8
...
...MUCH DELETED...
...
WRITING ZONEFILE: zones/example.com.zone
--- FAIL: TestDNSProviders (0.01s)
    --- FAIL: TestDNSProviders/example.com (0.01s)
        --- PASS: TestDNSProviders/example.com/Clean_Slate:Empty (0.00s)
        --- PASS: TestDNSProviders/example.com/06:IGNORE_NAME_function:Create_some_records (0.00s)
        --- PASS: TestDNSProviders/example.com/06:IGNORE_NAME_function:Add_a_new_record_-_ignoring_foo (0.00s)
        --- PASS: TestDNSProviders/example.com/06:IGNORE_NAME_function:Empty (0.00s)
        --- PASS: TestDNSProviders/example.com/06:IGNORE_NAME_function:Create_some_records#01 (0.00s)
        --- PASS: TestDNSProviders/example.com/06:IGNORE_NAME_function:Add_a_new_record_-_ignoring_*.foo (0.00s)
        --- PASS: TestDNSProviders/example.com/Post_cleanup:Empty (0.00s)
        --- PASS: TestDNSProviders/example.com/07:IGNORE_TARGET_function:Create_some_records (0.00s)
        --- PASS: TestDNSProviders/example.com/07:IGNORE_TARGET_function:Add_a_new_record_-_ignoring_test.foo.com. (0.00s)
        --- PASS: TestDNSProviders/example.com/07:IGNORE_TARGET_function:Empty (0.00s)
        --- PASS: TestDNSProviders/example.com/07:IGNORE_TARGET_function:Create_some_records#01 (0.00s)
        --- PASS: TestDNSProviders/example.com/07:IGNORE_TARGET_function:Add_a_new_record_-_ignoring_**.foo.com._targets (0.00s)
        --- PASS: TestDNSProviders/example.com/Post_cleanup:Empty#01 (0.00s)
        --- PASS: TestDNSProviders/example.com/08:IGNORE_NAME_apex:Create_some_records (0.00s)
        --- FAIL: TestDNSProviders/example.com/08:IGNORE_NAME_apex:Add_a_new_record_-_ignoring_foo (0.00s)
        --- PASS: TestDNSProviders/example.com/Post_cleanup:Empty#02 (0.00s)
=== RUN   TestDualProviders
    integration_test.go:295: Clearing everything
    integration_test.go:301: Adding nameservers from another provider
    integration_test.go:289: #1: GENERATE_ZONEFILE: 'example.com'. Changes:
        CREATE NS example.com ns1.example.com. ttl=300
        CREATE NS example.com ns2.example.com. ttl=300
WRITING ZONEFILE: zones/example.com.zone
    integration_test.go:304: Running again to ensure stability
--- PASS: TestDualProviders (0.00s)
FAIL
exit status 1
FAIL    github.com/StackExchange/dnscontrol/v3/integrationTest  0.316s

You might be able to track it down from there.

Tom

tlimoncelli commented 3 years ago

Hi!

I figured out what was happening. The problem wasn't what I expected. I expected there to be a logic error when comparing "@" and "example.com". However, that wasn't the issue. In fact, everything is normalized to "@" properly before comparison.

The problem is that some providers insert NS/SOA records at the apex. The IGNORE_NAME feature prevents users from accidentally using DnsControl to modify labels that would be ignored. The system was seeing these NS records as such modifications. Thus the error.

Can you take a look at the tlim_ignoreapex branch (https://github.com/StackExchange/dnscontrol/pull/1118) and see if that works for you?

net47 commented 3 years ago

Maybe I'm doing something wrong, but I just build the Docker container using your branch and executed a dnscontrol preview and still getting errors:

********** DEBUG: matchIgnoredName "@" "<text:`@`>" true
ERROR
Error getting corrections: incdiff error: trying to update/add IGNORE_NAMEd record: @ TXT

My dnsconfig.js looks like this:

...
IGNORE_NAME('@'),
...

Using IGNORE_NAME('') deletes the root entry.

tlimoncelli commented 3 years ago

The error message mentions @ TXT... are there any TXT records being inserted in dnsconfig.js or by the provider?

net47 commented 3 years ago

This is my full dnsconfig.js:

var REG_NONE = NewRegistrar('none', 'NONE');    // No registrar.
var GCDNS_HOME = NewDnsProvider("gcdns_home", "GCLOUD");

D('tremmel.xyz', REG_NONE, DnsProvider(GCDNS_HOME),
    A('controller', '192.168.20.1'),
    A('guest', '192.168.1.1'),
    CNAME('magdalena','net47.github.io.'),
    CNAME('hello','net47.github.io.'),
    CNAME('www','@'),
    CNAME('dashboard','@'),
    CNAME('api','@'),
    CNAME('carrier','vpn-lf.tremmel.xyz.'),
    IGNORE_NAME('@'),
    IGNORE_NAME('vpn'),
    IGNORE_NAME('vpn-lf'),
    TXT('@', 'v=spf1 include:_spf.google.com ~all'),
    TXT('@', 'google-site-verification=wDlpL5py8W4FQM_eGOahqMut-1pFk4rKLhECRglHDSw'),
    MX('@', 1, 'ASPMX.L.GOOGLE.COM.'),
    MX('@', 5, 'ALT1.ASPMX.L.GOOGLE.COM.'),
    MX('@', 5, 'ALT2.ASPMX.L.GOOGLE.COM.'),
    MX('@', 10, 'ALT3.ASPMX.L.GOOGLE.COM.'),
    MX('@', 10, 'ALT4.ASPMX.L.GOOGLE.COM.'),
    TXT('mailjet._becfdddb', 'becfdddb988cc0d42ab01920052cb0ca')
);
tlimoncelli commented 3 years ago

Ah, I see the problem!

IGNORE_NAME('@'), means "I promise not to touch tremmel.xyz so that something else can have total control.

TXT('@', 'v=spf1 include:_spf.google.com ~all') adds something to tremmel.xyz, which violates the previous promise.

Possible work-around: use the other DNS system to add those TXT records

net47 commented 3 years ago

Ok, now I also see it. IGNORE_NAME doesn‘t only ignores the A record but the complete name. Is it somehow possible to specify the record type when using IGNORE_NAME?

tlimoncelli commented 3 years ago

Not currently.

How would you feel about a flag like this?

    TXT('@', 'text string', { ignore_name_disable_safety_check: "true" } )),
tlimoncelli commented 3 years ago

I've done an initial implementation. Try this:

    TXT('@', 'v=spf1 include:_spf.google.com ~all', IGNORE_NAME_DISABLE_SAFETY_CHECK),
    TXT('@', 'google-site-verification=wDlpL5py8W4FQM_eGOahqMut-1pFk4rKLhECRglHDSw', IGNORE_NAME_DISABLE_SAFETY_CHECK),
    MX('@', 1, 'ASPMX.L.GOOGLE.COM.', IGNORE_NAME_DISABLE_SAFETY_CHECK),
    MX('@', 5, 'ALT1.ASPMX.L.GOOGLE.COM.', IGNORE_NAME_DISABLE_SAFETY_CHECK),
    MX('@', 5, 'ALT2.ASPMX.L.GOOGLE.COM.', IGNORE_NAME_DISABLE_SAFETY_CHECK),
    MX('@', 10, 'ALT3.ASPMX.L.GOOGLE.COM.', IGNORE_NAME_DISABLE_SAFETY_CHECK),
    MX('@', 10, 'ALT4.ASPMX.L.GOOGLE.COM.', IGNORE_NAME_DISABLE_SAFETY_CHECK),
net47 commented 3 years ago

Zero corrections and errors, looks good! Thanks a lot!

tlimoncelli commented 3 years ago

I've merged the change into master. It will be in the next release.