DKIM semicolon escaping with octodns-dump and NS1
See original GitHub issue(Sorry about all of my issues with DKIM’s and semicolons 😦 )
It looks like #34 might apply to NS1, as well? If you have not escaped the semicolon in your TXT record, NS1 will serve it back to you with it unescaped:
{
"domain": "mail._domainkey.foo.com",
"short_answers": [
"v=DKIM1;t=y; p=<key>"
],
"link": null,
"ttl": 900,
"tier": 1,
"type": "TXT",
"id": "<arbitrary record ID>"
},
(from the NS1 API)
Thus resulting in the following error:
octodns.record.ValidationError: Invalid record mail._domainkey.foo.com.
- unescaped ;
Issue Analytics
- State:
- Created 6 years ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
DKIM semicolon escaping with octodns-dump and NS1 #79
In Azure, a TXT record with escaped semi-colons yields TWO backslashes via dig. A TXT record without any escaping yields NO backslashes in...
Read more >Why do I need to escape ; with \ in a DNS DKIM record?
If you did not have a backslash, text from the semicolon to the end of the line would be ignored by the server....
Read more >Issue adding Cloud DNS TXT records with semi-colons via ...
I have an issue: adding TXT records with gCloud which include semi-colons (as required to validate an Apps domain for DKIM) escapes the...
Read more >Setting Up SPF and DKIM For SendGrid On Your NS1 Hosted ...
In the domain field, enter the name of the zone you're setting the whitelabel up for. It's best to leave the Automated Security...
Read more >How Do I Add DNS Records For My Sending Domains?
There are two options because the record contains semicolons, and some DNS providers escape semicolons for you, while others require you to do...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Just a bit more follow up for people who happen across this in the future. To the best of my knowledge the
\
is required before all;
inTXT
records. There are definitely some providers that don’t require it to be provided in their UI/API, Route53 & NS1. That said when they serve the records they always escape them, e.g.Route53
NS1
Other providers “fix” the records at the time of submission, e.g.
Dyn
Others still don’t allow submission without the
\
.So as best as I can tell RFCs require
\;
so octoDNS requires them. The earlier “fix” to Route53 and DNSimple were actually a mistaken on my part, in hindsight anyway. The “real” fix was to add the--lenient
flag tooctodns-dump
.It’s now expected behavior that when you dump such records you’ll need to add the
\
if it’s not there before you’ll be able to use them as a source and octoDNS will show that as a change when you go to sync, but that should just be bringing things into compliance. For now the change won’t be pushed to Route53 & DNSimple, but I’ll likely go back and revert those bits now that the lenient stuff is in place and doing things a cleaner way.Note you will have to “fix” the resulting config by escaping the
;
before you can use it as a source. The intention is to make it easier to get things into octoDNS, but to retain the consistency/best practices going forward.