OVH: "Invalid subfield found in DKIM" on update

[JBOClara]

Using

./.tools/dnscontrol.v3.17.0 version
dnscontrol v3.17.0 ("015c3d184adc8f0f8a62e69e44d8b83d0d5da5e1") built 19 Jun 22 15:52 CEST

I've got FAILURE! Error 400: "Invalid subfield found in DKIM : \"v=DKIM1" modifying an OVH TXT record PREVIEW:

******************** Domain: domain.tld
----- Getting nameservers from: ovh
----- DNS Provider: ovh...
2 corrections
#1: MODIFY TXT 29012022._domainkey.domain.tld: ("v=DKIM1; t=s; p=MII[...]AB" ttl=3600) -> ("v=DKIM1; t=s; p=MII[...]AB" ttl=300)
#2: REFRESH zone domain.tld

PUSH:

******************** Domain: domain.tld
----- Getting nameservers from: ovh
----- DNS Provider: ovh...
2 corrections
#1: MODIFY TXT 29012022._domainkey.domain.tld: ("v=DKIM1; t=s; p=MII[..]QAB" ttl=3600) -> ("v=DKIM1; t=s; p=MII[..]QAB" ttl=300)
FAILURE! Error 400: "Invalid subfield found in DKIM : \"v=DKIM1"
#2: REFRESH zone domain.tld

Relevant config for this TXT record is:

TXT('29012022._domainkey', 'v=DKIM1; t=s; p=MII[...]AB', TTL(300))

related to #1235

[tlimoncelli]

CC: @masterzen

It's interesting that the error message includes a backslash in the message: \"v=DKIM1" as if something got escaped inappropriately.

This may be un-related but... I'd be curious what happens when you follow the instructions in https://stackexchange.github.io/dnscontrol/testing-txt-records.html

Tom

[JBOClara]

when I add those tests from the Web UI

t0                                        60 IN TXT    test0
t1                                        60 IN TXT     test1
t2                                        60 IN TXT    "test2"
t3                                        60 IN TXT    "test3"

The provider keep reformatting after form validation

t0                                        60 IN TXT    "test0"
t1                                        60 IN TXT    "test1"
t2                                        60 IN TXT    "test2"
t3                                        60 IN TXT    "test3"

For instance, while submitting t0 60 TXT test0 in the UI, the client side reformat it and the the PUT payload is:

{"subDomain":"t0","target":"\"test0\"","ttl":60}

About the preview:

I wonder why there is CREATE instead of UPDATE (is DNSControl get the current state of the zone with a DNS resolution or by the API ?).

#1: CREATE TXT t0.domain.de "test0" ttl=3600
#2: CREATE TXT t1.domain.de "\"test1\"" ttl=3600
#3: CREATE TXT t2.domain.de "test2" ttl=3600
#4: CREATE TXT t3.domain.de "\"test3\"" ttl=3600

And at push, it UPDATE the records:

#1: MODIFY TXT t0.domain.de: ("test0" ttl=60) -> ("test0" ttl=3600)
SUCCESS!
#2: MODIFY TXT t2.domain.de: ("test2" ttl=60) -> ("test2" ttl=3600)
SUCCESS!
#3: MODIFY TXT t3.domain.de: ("test3" ttl=60) -> ("\"test3\"" ttl=3600)
SUCCESS!
#4: MODIFY TXT t1.domain.de: ("test1" ttl=60) -> ("\"test1\"" ttl=3600)
SUCCESS!

There is no error.

I've retry the test with another record name.

In OVH provider, there is two way to change records, "add an entry" or "edit the entire zone in text format".

I understand that adding this payload without double quote can lead to alter other records.

b0                                 60       IN TXT    test0
b1                                 60       IN TXT    test1
b2                                 60       IN TXT    "test2"
b3                                 60       IN TXT    "test3"

After push with dnscontrol, the UI full zone text mode shows crazy record:

Then, this message appeared

To conclude,

There is failsafe while using the UI mode with the "Add an entry" button. The "Change in text format" allow to submit invalid zone but then, there is a failsafe to not taking it into account.

I was not able to get the same type off error FAILURE! Error 400: "Invalid subfield found in DKIM : \"v=DKIM1" with those tests.

I can confirm that adding escape to " is successfully updated by OVH but then, the big red error message appears.

Refresh your provider’s web UI and you should see the changes as expected: t1 should have double-quotes and t2 shouldn’t. If the change wasn’t correctly done, that’s a bug.

So there is a bug

[tlimoncelli]

Thanks for running those tests. From what I read, I think the test0/1/2/3 test is irrelevant to the DKIM problem.

That said... here's how to do it given that the web UI accepts a zonefile, not a web form like other systems:

b0                                 60       IN TXT    "test0"
b1                                 60       IN TXT     "test1"
b2                                 60       IN TXT    "\"test2\""
b3                                 60       IN TXT    "\"test3\""

I suspect that if you use the above, the tests will work better. (and reveal the same bug about quotes)

I'll discuss the DKIM string in another comment.

[tlimoncelli]

As far as DKIM, there are two possibilities. The error message is right, or it is wrong.

If the error message is correct, then your dkim string is wrong. Try using a known-valid string from another site, such as "k1._domainkey.stackoverflow.com" or another company. If it works, then you know the problem is with your string.

If you can't find any string that works, then it is a problem with OVH.

[masterzen]

I'm wondering if this would be fixed by the new TXT handling of #1567? Basically it seems the string is split somehow and that creates issues with imbalanced quotes later on.

@JBOClara would you mind testing with PR #1567?

[masterzen]

I'll try to do a bit of tests over the week-end, as I remember that long DKIM records used to work with previous dnscontrol version in the past.

[HLFH]

Getting the same issue with the OVH provider:

FAILURE! Error 400: "Invalid subfield found in DKIM : \"v=DKIM1"

@tlimoncelli

How can I help?

[tlimoncelli]

The TXT record handling has been rewritten since this bug was filed. Can the OP please test to see if this works now?