TXT / SPF records with spaces are split into multiple values

Bug #1755788 reported by Dmitry Galkin on 2018-03-14
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Designate
Undecided
Graham Hayes

Bug Description

Hi,

Observed that creation of TXT or SPF records that have " " (empty spaces) from CLI or Dashboard produces invalid records. That was already briefly discussed on the last Designate meeting:

1. Create a record like:

[root@openstack ~]# openstack recordset create --records "v=spf1 a mx a:mail.openstack.tech. a:mail.domain.ie a:server9.openstack.tech. -all" --type=SPF 50bb30dd-5c84-42fc-b
2e7-fc37a198ccfd testspf9.openstack.tech.
+-------------+------------------------------------------------------------------------------------+
| Field | Value |
+-------------+------------------------------------------------------------------------------------+
| action | CREATE |
| created_at | 2018-03-14T11:05:50.000000 |
| description | None |
| id | 16003c9d-a8ec-4155-9077-f6318f5d40f6 |
| name | testspf9.openstack.tech. |
| project_id | b8a1e1371d22406cb89afd936cb20d0e |
| records | v=spf1 a mx a:mail.openstack.tech. a:mail.domain.ie a:server9.openstack.tech. -all |
| status | PENDING |
| ttl | None |
| type | SPF |
| updated_at | None |
| version | 1 |
| zone_id | 50bb30dd-5c84-42fc-b2e7-fc37a198ccfd |
| zone_name | openstack.tech. |
+-------------+------------------------------------------------------------------------------------+
[root@openstack ~]#

2. And it looks fine if we just check via recordset show:

[root@aio1-utility-container-10fda1d7 ~]# openstack recordset show 50bb30dd-5c84-42fc-b2e7-fc37a198ccfd 16003c9d-a8ec-4155-9077-f6318f5d40f6
+-------------+------------------------------------------------------------------------------------+
| Field | Value |
+-------------+------------------------------------------------------------------------------------+
| action | NONE |
| created_at | 2018-03-14T11:05:50.000000 |
| description | None |
| id | 16003c9d-a8ec-4155-9077-f6318f5d40f6 |
| name | testspf9.openstack.tech. |
| project_id | b8a1e1371d22406cb89afd936cb20d0e |
| records | v=spf1 a mx a:mail.openstack.tech. a:mail.domain.ie a:server9.openstack.tech. -all |
| status | ACTIVE |
| ttl | None |
| type | SPF |
| updated_at | None |
| version | 1 |
| zone_id | 50bb30dd-5c84-42fc-b2e7-fc37a198ccfd |
| zone_name | openstack.tech. |
+-------------+------------------------------------------------------------------------------------+

3. But checking it with dig directly gives us:

[root@aio1-designate-container-7c861122 v2]# dig @127.0.0.1 testspf9.openstack.tech. SPF

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> @127.0.0.1 testspf9.openstack.tech. SPF
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64319
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testspf9.openstack.tech. IN SPF

;; ANSWER SECTION:
testspf9.openstack.tech. 300 IN SPF "v=spf1" "a" "mx" "a:mail.openstack.tech." "a:mail.domain.ie" "a:server9.openstack.tech." "-all"

;; AUTHORITY SECTION:
openstack.tech. 300 IN NS ns1-1.example.tech.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mi Mär 14 11:46:03 UTC 2018
;; MSG SIZE rcvd: 175

Notice that reply is many strings instead of one: "v=spf1" "a" "mx" "a:mail.openstack.tech." "a:mail.domain.ie" "a:server9.openstack.tech." "-all"

Tested on stable/pike.

Dmitry Galkin (galkindmitrii) wrote :

Looked more into that.

Turns out that the Dnspython (as packed with eventlet) in https://github.com/rthalley/dnspython/blob/master/dns/rdtypes/txtbase.py#L56-L73 generates the list 'strings' that has no spaces.

So, if we do like:

[root@openstack ~]# python
Python 2.7.5 (default, Aug 4 2017, 00:39:18)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import dns.rdataset
>>>
>>> txt_record = "some valid record with spaces"
>>> print(dns.rdataset.from_text(dns.rdataclass.IN, dns.rdatatype.TXT, 0, txt_record))
0 IN TXT "some" "valid" "record" "with" "spaces"

Result will be missing all the spaces.

Fix proposed to branch: master
Review: https://review.openstack.org/555398

Changed in designate:
assignee: nobody → Dmitry Galkin (galkindmitrii)
status: New → In Progress
Changed in designate:
assignee: Dmitry Galkin (galkindmitrii) → Dr. Jens Harbott (j-harbott)
Changed in designate:
assignee: Dr. Jens Harbott (j-harbott) → Graham Hayes (grahamhayes)

Reviewed: https://review.openstack.org/617809
Committed: https://git.openstack.org/cgit/openstack/designate-tempest-plugin/commit/?id=9a0a360be06e06a7f2d08ab5c28ccdb5dd9dfc87
Submitter: Zuul
Branch: master

commit 9a0a360be06e06a7f2d08ab5c28ccdb5dd9dfc87
Author: Dmitry Galkin <email address hidden>
Date: Tue Nov 13 19:42:29 2018 +0000

    Properly quote TXT/SPF sample data

    (Check TXT/SPF records for RFC1035 sec. 5.1.)

    Adds quotes and escape for quotes across the TXT/SPF data sets and tests.

    Needed-By: https://review.openstack.org/#/c/555398
    Change-Id: I5c8160a1cd4a41c4931ab852d478753bb98f4b7d
    Closes-Bug: 1755788

Changed in designate:
status: In Progress → Fix Released

This issue was fixed in the openstack/designate-tempest-plugin 0.6.0 release.

Reviewed: https://review.opendev.org/555398
Committed: https://git.openstack.org/cgit/openstack/designate/commit/?id=02ef0350af6bb2ee1aacb6e7e4ec9acb21eb3dc7
Submitter: Zuul
Branch: master

commit 02ef0350af6bb2ee1aacb6e7e4ec9acb21eb3dc7
Author: Dmitry Galkin <email address hidden>
Date: Thu Mar 22 17:53:27 2018 +0000

    Check TXT/SPF records for RFC1035 sec. 5.1

    If record data has empty spaces it should be surrounded by double quotes.
    This patch will raise an error during validation if record has whitespaces,
    empty spaces, tabs, etc., but not wrapped in " " (double quotes).

    Corresponding RFC part:

    <character-string> is expressed in one or two ways: as a contiguous set
    of characters without interior spaces, or as a string beginning with a "
    and ending with a ". Inside a " delimited string any character can
    occur, except for a " itself, which must be quoted using \ (back slash).

    Closes-Bug: 1755788
    Depends-On: https://review.openstack.org/#/c/617809/
    Change-Id: I159d0732688ddf1337ab3602a84a43fd043dcaa2

This issue was fixed in the openstack/designate 9.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers