Make sure it puts quotes around SPF and TXT records #29
Comments
|
I think the best approach here would be to detect a space in the TXT record, then on output add It should also automatically split DKIM TXT records greater than 255 characters into chunks - I have personally run into this issue. |
|
Can you please give me an example? I just had a quick test, and it seems the TXT records are enclosed by a pair of quotes. |
|
The issue for me is more that DKIM TXT records greater than 255 characters should be split into chunks. I stumbled across this issue today from all the way back in 2019! And had a panic for a few moments when I used this and forgot about this. To give an example: "txt": [
{
"name": "soverin._domainkey",
"txt": "v=DKIM1; k=rsa; p=<REALLY LONG STRING THAT IS AN RSA KEY>",
"ttl": 3600
}
],Expected: |
|
@conatus do you happen to know any specification, like RFC about the split of the long rsa key part? Or is it just an implementation's special behavior? |
|
I don't think this is a RFC thing, but is a relatively common use pattern as this use of DKIM keys to verify emails is very common. https://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns Sufficiently common that there is a tool to do it. Google's Cloud DNS is one sevice that requires this. |
|
Did a bit more of a look and it is a component of RFC4408. https://tools.ietf.org/html/rfc4408#section-3.1.3
|
|
@conatus thank you. I will look into it. |
|
Thanks @elgs! |
@conatus, I want to confirm one thing. In the expected section, I am not seeing the |
|
I just released 0.0.27, and hopefully it fixed this issue. Shame on me. It took almost 4 years to fix it. |
|
Hey @elgs - this is my error in the example. The corrected expected is: No shame on anyone, really appreciate you fixing it. :) Will check out the code then loop back to check this issue can be closed. |
|
Sorry for the delay in testing this. This is still an outstanding issue. Even in 0.2.8, the RSA key is not split into chunks. The result of this is that we have to manually remember this library causes this error and correct it, otherwise our email deliverability is effected. If you could take another look, that would be wonderful. |
|
I split the TXT or SPR in the parser, which is a mistake, I should have done them in the generator. Now I have a new concern, splitting and adding quotes will make the parsing and generating processes not idempotent. This seems to be an issue, too. What do you think? @conatus |
|
Somehow I want to remove the split and adding quote logic from this library and let the clients take care of these logic. So it will be idempotent. Rule of thumb: I am not touching your string. Please let me know your thoughts. |
|
@elgs As it is part of the standard, maybe we should add a some sort of switch to the JSON configuration file so this chante can be highlighted. If you can point me to the point in the code where this all happens I'll probably be more able to take a view. Alternatively, |
|
After understanding the nature of this issue, I prefer to leave the entire txt string to the clients to manage, for 2 reasons:
I understand the boundary of the obligation to handle the txt string may not appear to be clear. The Idempotency is the main reason of my preference. |
|
Are you suggesting we split the key manually ourselves within the JSON file using escaping? This does seem like an okay workaround that gets us moving. But the fact these strings can be split is in the RFC specification and right now this library does not support this. As this is an undocumented limitation of this library, it could lead quite a few people to trip over this problem, as we have done. The result for us was lots of emails going to Spam. Which is pretty large problem for us any anyone else who has to do DKIM1 keys - which is most people who want secure email. As an alternative, how about this? This could work idempotently, if this is a design requirement. cc @chrisdevereux - this is a workaround for the issue we are having with our processing zone files. |
|
@conatus your suggestion looks good, I would adopt the txt array if this would be the start of the project. But there is one problem that is Google Cloud is depending on this project. Last time I broke their build because I renamed a field. Although I am not responsible for their projects, I am sure they would complain when they upgrade their dependencies if we made this change. Maybe instead of making txt an array, we could keep the txt as is and add a new field called txt_array, and when generating, we will need to choose one and ignore the other if both exist in the json. What do you think? |
|
@elgs I like this solution. An alternative would simply be to do an Either way a fix for this would be really appreciated! |
I'm going to go by trying to import it into AWS Route 53 and other other examples i've seen, as I'm no expert on DNS Zones.
If there aren't quotes around these values then Route 53 fails to import them properly, and it comes out like the following, which is of course totally not going to work.
"v=spf1" "+a" "+mx" "include:_spf.google.com" "~all"
The same goes for DKIM TXT records.
The text was updated successfully, but these errors were encountered: