Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

DKIM semicolon escaping with octodns-dump and NS1

See original GitHub issue

(Sorry about all of my issues with DKIM’s and semicolons 😦 )

It looks like #34 might apply to NS1, as well? If you have not escaped the semicolon in your TXT record, NS1 will serve it back to you with it unescaped:

{
      "domain": "mail._domainkey.foo.com",
      "short_answers": [
        "v=DKIM1;t=y; p=<key>"
      ],
      "link": null,
      "ttl": 900,
      "tier": 1,
      "type": "TXT",
      "id": "<arbitrary record ID>"
    },

(from the NS1 API)

Thus resulting in the following error:

octodns.record.ValidationError: Invalid record mail._domainkey.foo.com.
  - unescaped ;

Issue Analytics

State:
Created 6 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

rosscommented, Jun 30, 2017

Just a bit more follow up for people who happen across this in the future. To the best of my knowledge the \ is required before all ; in TXT records. There are definitely some providers that don’t require it to be provided in their UI/API, Route53 & NS1. That said when they serve the records they always escape them, e.g.

Route53

sweetums:~ ross$ dig +short TXT dkim-test.githubtest.net. @ns-1304.awsdns-35.org.
"v=DKIM1\; k=rsa\; p=foobarbaz"

NS1

sweetums:~ ross$ dig +short TXT dkim-test.githubtest.net. @dns1.p04.nsone.net
"v=DKIM1\; k=rsa\; p=foobarbaz"

Other providers “fix” the records at the time of submission, e.g.

Dyn

Others still don’t allow submission without the \.

So as best as I can tell RFCs require \; so octoDNS requires them. The earlier “fix” to Route53 and DNSimple were actually a mistaken on my part, in hindsight anyway. The “real” fix was to add the --lenient flag to octodns-dump.

It’s now expected behavior that when you dump such records you’ll need to add the \ if it’s not there before you’ll be able to use them as a source and octoDNS will show that as a change when you go to sync, but that should just be bringing things into compliance. For now the change won’t be pushed to Route53 & DNSimple, but I’ll likely go back and revert those bits now that the lenient stuff is in place and doing things a cleaner way.

1reaction

rosscommented, Jun 27, 2017

Note you will have to “fix” the resulting config by escaping the ; before you can use it as a source. The intention is to make it easier to get things into octoDNS, but to retain the consistency/best practices going forward.