Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nameserver entries are incorrectly modified or created when using AutoDNS #3018

Open
lug-gh opened this issue Jun 20, 2024 · 5 comments
Open

Nameserver entries are incorrectly modified or created when using AutoDNS #3018

lug-gh opened this issue Jun 20, 2024 · 5 comments

Comments

@lug-gh
Copy link

lug-gh commented Jun 20, 2024

NOTE: Have a general question? You'll get a better response on the dnscontrol-discuss email list!

Describe the bug
Depending on how my dnsconfig.js looks like, DNSControl wants to either create or modify my NS entries, even if I work with IGNORE(). I suspect it has to do with AutoDNS separating the nameservers and the rest of the resource records. In the resource records are all DNS entries of the zone, except the name servers, these are visible to the user in another menu item, and are then summarized by the AutoDNS backend for the zone.

To Reproduce
Example 1:

var REG_NONE = NewRegistrar("none");
var DSP_AUTODNS = NewDnsProvider("autodns");

D("sub.example.org",
  REG_NONE,
  DnsProvider(DSP_AUTODNS),
  DISABLE_IGNORE_SAFETY_CHECK,
  IGNORE("*"),
  A("test", "1.2.3.4"),
END);

preview shows:

******************** Domain: sub.example.org
1 correction (autodns)
#1: 87 records not being deleted because of IGNORE*():
    [...]
    ...and 82 more... (use --full to show all)
5 records that are both IGNORE*()'d and not ignored:
    test.sub.example.org A 1.2.3.4
    sub.example.org NS a.ns14.net.
    sub.example.org NS b.ns14.net.
    sub.example.org NS c.ns14.net.
    sub.example.org NS d.ns14.net.
+ CREATE sub.example.org NS a.ns14.net. ttl=300
+ CREATE sub.example.org NS b.ns14.net. ttl=300
+ CREATE sub.example.org NS c.ns14.net. ttl=300
+ CREATE sub.example.org NS d.ns14.net. ttl=300
+ CREATE test.sub.example.org A 1.2.3.4 ttl=300
Zone update for sub.example.org
Done. 1 corrections.

Since I use IGNORE("*"), the NS records should not be created, also, they already exist:
dig sub.example.org ns @a.ns14.net

;; ANSWER SECTION:
sub.example.org.		60	IN	NS	b.ns14.net.
sub.example.org.		60	IN	NS	d.ns14.net.
sub.example.org.		60	IN	NS	a.ns14.net.
sub.example.org.		60	IN	NS	c.ns14.net.

Example 2

var REG_NONE = NewRegistrar("none");
var DSP_AUTODNS = NewDnsProvider("autodns");

DOMAIN_ELSEWHERE_AUTO("sub.example.org", REG_NONE, DSP_AUTODNS);

The preview shows that DNSControl wants to change the TTL of the name servers.

******************** Domain: sub.example.org
1 correction (autodns)
#1: 83 records not being deleted because of NO_PURGE:
    [...]
    ...and 78 more... (use --full to show all)
± MODIFY-TTL sub.example.org NS a.ns14.net. ttl=(60->300)
± MODIFY-TTL sub.example.org NS b.ns14.net. ttl=(60->300)
± MODIFY-TTL sub.example.org NS c.ns14.net. ttl=(60->300)
± MODIFY-TTL sub.example.org NS d.ns14.net. ttl=(60->300)
Zone update for sub.example.org
Done. 1 corrections.

Expected behavior
DNSControl should not touch the name servers

DNS Provider

  • AUTODNS

additional context
I have only just started using DNSControl, so I can't rule out the possibility that this is simply an operating error on my side, but the different behavior with regard to CREATE and MODIFY of the nameservers makes me very suspicious.
@lug-gh
Copy link
Author

lug-gh commented Jun 20, 2024
edited
Loading

I also found another bug while testing. In example 2 you can see that 83 entries are not deleted due to NO_PURGE. Unfortunately, these are deleted during the push!
But only if "MODIFY-TTL" is executed. If there are no changes to the NS TTL, then NO_PURGE is also respected for the existing entries.

@tlimoncelli
Copy link
Contributor

CC'ing @arnoschoon (maintainer of the AutoDNS provider). (I don't have access to a test account for AutoDNS)

By the way... the source to DOMAIN_ELSEWHERE_AUTO is here/ . You can copy it into dnsconfig.js and customize it. Your code will override the code from helpers.js.

@arnoschoon
Copy link
Contributor

Hi @lug-gh,

Thanks for reaching out and your patience.

Can you supply me with the exact version (and possibly CLI command) you're using? I'm not able to reproduce the issue with nameservers you mention, but that might have something to do with my environment.

I admit AutoDNS is a bit peculiar in it's nameserver handling, but from your example I can't find out if it's an actual issue or your using it in a more advanced way than I did when developing this provider.

We're using the command below in our CI pipeline for several domains and I've not encountered this specific issue before. But had a hard time using those IGNORE_*-functions to be honest.

docker run --rm  --user $(id -u):$(id -g) --volume ${bamboo.tmp.directory}:${bamboo.tmp.directory} --volume ${bamboo.working.directory}:${bamboo.working.directory} --workdir ${bamboo.working.directory} ghcr.io/stackexchange/dnscontrol:4.10.0 push

Our dnsconfig.js uses some macro's to add some default records for parked domains but that probably just works since we don't attempt the more advanced stuff you're seeking.

var REG_NONE = NewRegistrar("none");
var ADNS = NewDnsProvider("autodns");

var CAA_BUILDER_CONFIG = {
  label: "@",
  iodef: "mailto:security@acme.com",
  iodef_critical: true,
  issue: [
    "letsencrypt.org", // https://letsencrypt.org/docs/caa/
    "amazon.com", // https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html
    "amazontrust.com",
    "awstrust.com",
    "amazonaws.com",
    "sectigo.com", // https://help.zerossl.com/hc/en-us/articles/360060119753-Invalid-CAA-Records
    "pki.goog", // https://pki.goog/faq/#caa
    "digicert.com" // https://developers.cloudflare.com/ssl/reference/certificate-authorities/ - https://developers.cloudflare.com/ssl/reference/certificate-authorities/#caa-records
  ]
};

var DEFAULT_RECORDS = function(domain) {
    return [
        NAMESERVER_TTL('2d'),
        DefaultTTL('15m'),
        CAA_BUILDER(CAA_BUILDER_CONFIG)
    ]
}

var PARKED_DOMAIN = function(domain) {
    return [].concat(DEFAULT_RECORDS(domain), [
        TXT('@', 'v=spf1 -all'),
        TXT('*._domainkey', 'v=DKIM1; p='),
        TXT('_dmarc', 'v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;')
    ])
}

D('acme.be', REG_NONE, DnsProvider(ADNS), PARKED_DOMAIN('acme.be'));

D('acme.com', REG_NONE, DnsProvider(ADNS),
    DEFAULT_RECORDS('acme.com'),
    MX('@', 10, 'acme-com.mail.protection.outlook.com.'),
    SPF_BUILDER({
        label: '@',
        overflow: '_spf%d',
        parts: [
            'v=spf1',
            'include:spf.protection.outlook.com',
            'include:mail.zendesk.com',
            '~all'
        ]
    }),
    TXT('@', 'MS=ms726835'),
    TXT('zendeskverification', '892ba8baf29928'),
    TXT('hello', 'world!'),
    CNAME('zendesk1', 'mail1.zendesk.com.'),
);

Please let me know if you are able to adapt to the example I've pasted here and if you still run into problems which version you are using.

Best,
~Arno

@tlimoncelli
Copy link
Contributor

Hi hi!

I'm not sure if this is related but... IGNORE() doesn't ignore nameserve delegations (updating the parent or registrar). I'm not sure if that is going to affect this bug, I thought I'd mention it.

As far as NO_PURGE deleting records when it should (possibly related to MODIFY-TTL): That is outside the control of Porkbun as it is part of the main system. Could you make a minimal repro case that demonstrates that bug? Please file that as a separate bug. Thanks!

@lug-gh
Copy link
Author

lug-gh commented Jul 11, 2024

Hi @arnoschoon,

sorry for the late response, I was away for a while and need to get back into the swing of things.

I have only used the Docker image for testing purposes so far.
docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview
docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol push
Docker image ID: 5f0bc195133b / DNSControl version 4.12.0

The folder I am in only contains the creds.json and dnsconfig.js file.
I'm using Ubuntu 22.04 with Docker 26, but I think that's rather irrelevant since the code magic happens in the container.

@tlimoncelli
It is interesting to know that IGNORE does not ignore the nameserver settings. Is there another function for this? Alternatively, I would first have to build a script that retrieves the current setting from AutoDNS and then pass it into DNSControl as a variable.

But well, then I'll split the issues now. This issue deals with the incorrect "CREATE" of the name servers with the "D" option. In the other issue I will deal with the deletion of the entries in connection with "DOMAIN_ELSEWHERE_AUTO". Correct? I hope it doesn't get too confusing and jumbled up.

Scenario 1

empty DNS zone, nothing but IGNORE('*')

So, for reproduction purposes, simply create a DNS zone of your choice in AutoDNS (a domain is not required), e.g. dnscontrol-issue-3018-debug.com
This Zone has no records yet, besides the nameservers. They have a TTL of 86400 by default.
zonefile in autodns

dnscontrol-issue-3018-debug.com.	86400	IN	SOA	a.ns14.net. do-not-reply.dnscontrol-issue-3018-debug.com. 2024071102 43200 7200 1209600 86400
dnscontrol-issue-3018-debug.com.	86400	IN	NS	a.ns14.net.
dnscontrol-issue-3018-debug.com.	86400	IN	NS	b.ns14.net.
dnscontrol-issue-3018-debug.com.	86400	IN	NS	c.ns14.net.
dnscontrol-issue-3018-debug.com.	86400	IN	NS	d.ns14.net.

creds.json

{
  "autodns": {
    "TYPE": "AUTODNS",
    "username": "REMOVED",
    "password": "REMOVED",
    "context": "4"
  }
}

dnsconfig.js

var REG_NONE = NewRegistrar("none");
var DSP_AUTODNS = NewDnsProvider("autodns");

D("dnscontrol-issue-3018-debug.com",
  REG_NONE,
  DnsProvider(DSP_AUTODNS),
  DISABLE_IGNORE_SAFETY_CHECK,
  IGNORE("*"),
END);

This is a very minimalistic test environment, but sufficient to reproduce the error.
In this setting, I expected that nothing should actually happen.
In the meantime I have learned that the nameservers are not taken into account by IGNORE, so I now expect a MODIFY of the existing nameservers, but instead preview displays a CREATE.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

******************** Domain: dnscontrol-issue-3018-debug.com
1 correction (autodns)
#1: 4 records not being deleted because of IGNORE*():
    dnscontrol-issue-3018-debug.com. NS a.ns14.net.
    dnscontrol-issue-3018-debug.com. NS b.ns14.net.
    dnscontrol-issue-3018-debug.com. NS c.ns14.net.
    dnscontrol-issue-3018-debug.com. NS d.ns14.net.
4 records that are both IGNORE*()'d and not ignored:
    dnscontrol-issue-3018-debug.com NS a.ns14.net.
    dnscontrol-issue-3018-debug.com NS b.ns14.net.
    dnscontrol-issue-3018-debug.com NS c.ns14.net.
    dnscontrol-issue-3018-debug.com NS d.ns14.net.
+ CREATE dnscontrol-issue-3018-debug.com NS a.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS b.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS c.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS d.ns14.net. ttl=300
Zone update for dnscontrol-issue-3018-debug.com
Done. 1 corrections.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol push

******************** Domain: dnscontrol-issue-3018-debug.com
1 correction (autodns)
#1: 4 records not being deleted because of IGNORE*():
    dnscontrol-issue-3018-debug.com. NS a.ns14.net.
    dnscontrol-issue-3018-debug.com. NS b.ns14.net.
    dnscontrol-issue-3018-debug.com. NS c.ns14.net.
    dnscontrol-issue-3018-debug.com. NS d.ns14.net.
4 records that are both IGNORE*()'d and not ignored:
    dnscontrol-issue-3018-debug.com NS a.ns14.net.
    dnscontrol-issue-3018-debug.com NS b.ns14.net.
    dnscontrol-issue-3018-debug.com NS c.ns14.net.
    dnscontrol-issue-3018-debug.com NS d.ns14.net.
+ CREATE dnscontrol-issue-3018-debug.com NS a.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS b.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS c.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS d.ns14.net. ttl=300
Zone update for dnscontrol-issue-3018-debug.com
SUCCESS!
Done. 1 corrections.

zonefile in autodns after push

dnscontrol-issue-3018-debug.com.	300	IN	SOA	a.ns14.net. do-not-reply.dnscontrol-issue-3018-debug.com. 2024071103 43200 7200 1209600 300
dnscontrol-issue-3018-debug.com.	300	IN	NS	d.ns14.net.
dnscontrol-issue-3018-debug.com.	300	IN	NS	a.ns14.net.
dnscontrol-issue-3018-debug.com.	300	IN	NS	b.ns14.net.
dnscontrol-issue-3018-debug.com.	300	IN	NS	c.ns14.net.

So, what happens in this scenario is exactly what is to be expected (if you know it), but with the incorrect display "CREATE" instead of "MODIFY".
In addition, the TTL of the SOA is adjusted, which neither preview nor push indicate. This is actually irrelevant for me now, but it probably shouldn't be like this anyway, so I'll mention it to be on the safe side.

Scenario 2

empty DNS zone, create an A record

zonefile in autodns

dnscontrol-issue-3018-debug.com.	86400	IN	SOA	a.ns14.net. do-not-reply.dnscontrol-issue-3018-debug.com. 2024071102 43200 7200 1209600 86400
dnscontrol-issue-3018-debug.com.	86400	IN	NS	a.ns14.net.
dnscontrol-issue-3018-debug.com.	86400	IN	NS	b.ns14.net.
dnscontrol-issue-3018-debug.com.	86400	IN	NS	c.ns14.net.
dnscontrol-issue-3018-debug.com.	86400	IN	NS	d.ns14.net.

dnsconfig.js

var REG_NONE = NewRegistrar("none");
var DSP_AUTODNS = NewDnsProvider("autodns");

D("dnscontrol-issue-3018-debug.com",
  REG_NONE,
  DnsProvider(DSP_AUTODNS),
  DISABLE_IGNORE_SAFETY_CHECK,
  IGNORE("*"),
  A("first-record", "1.2.3.4"),
END);

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

******************** Domain: dnscontrol-issue-3018-debug.com
1 correction (autodns)
#1: 4 records not being deleted because of IGNORE*():
    dnscontrol-issue-3018-debug.com. NS a.ns14.net.
    dnscontrol-issue-3018-debug.com. NS b.ns14.net.
    dnscontrol-issue-3018-debug.com. NS c.ns14.net.
    dnscontrol-issue-3018-debug.com. NS d.ns14.net.
5 records that are both IGNORE*()'d and not ignored:
    first-record.dnscontrol-issue-3018-debug.com A 1.2.3.4
    dnscontrol-issue-3018-debug.com NS a.ns14.net.
    dnscontrol-issue-3018-debug.com NS b.ns14.net.
    dnscontrol-issue-3018-debug.com NS c.ns14.net.
    dnscontrol-issue-3018-debug.com NS d.ns14.net.
+ CREATE dnscontrol-issue-3018-debug.com NS a.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS b.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS c.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS d.ns14.net. ttl=300
+ CREATE first-record.dnscontrol-issue-3018-debug.com A 1.2.3.4 ttl=300
Zone update for dnscontrol-issue-3018-debug.com
Done. 1 corrections.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol push

******************** Domain: dnscontrol-issue-3018-debug.com
1 correction (autodns)
#1: 4 records not being deleted because of IGNORE*():
    dnscontrol-issue-3018-debug.com. NS a.ns14.net.
    dnscontrol-issue-3018-debug.com. NS b.ns14.net.
    dnscontrol-issue-3018-debug.com. NS c.ns14.net.
    dnscontrol-issue-3018-debug.com. NS d.ns14.net.
5 records that are both IGNORE*()'d and not ignored:
    first-record.dnscontrol-issue-3018-debug.com A 1.2.3.4
    dnscontrol-issue-3018-debug.com NS a.ns14.net.
    dnscontrol-issue-3018-debug.com NS b.ns14.net.
    dnscontrol-issue-3018-debug.com NS c.ns14.net.
    dnscontrol-issue-3018-debug.com NS d.ns14.net.
+ CREATE dnscontrol-issue-3018-debug.com NS a.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS b.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS c.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS d.ns14.net. ttl=300
+ CREATE first-record.dnscontrol-issue-3018-debug.com A 1.2.3.4 ttl=300
Zone update for dnscontrol-issue-3018-debug.com
SUCCESS!
Done. 1 corrections.

zonefile in autodns after push

dnscontrol-issue-3018-debug.com.	300	IN	SOA	a.ns14.net. do-not-reply.dnscontrol-issue-3018-debug.com. 2024071105 43200 7200 1209600 300
dnscontrol-issue-3018-debug.com.	300	IN	NS	a.ns14.net.
dnscontrol-issue-3018-debug.com.	300	IN	NS	b.ns14.net.
dnscontrol-issue-3018-debug.com.	300	IN	NS	c.ns14.net.
dnscontrol-issue-3018-debug.com.	300	IN	NS	d.ns14.net.
first-record.dnscontrol-issue-3018-debug.com.	300	IN	A	1.2.3.4

Scenario 3

existing dns record in DNS zone, IGNORE('*') and NS CREATE

-> This is probably the most critical, because all existing DNS entries are deleted here!

dnsconfig.js is identical to scenario 2, but there is now an additional DNS entry in the zone, which was created via the AutoDNS web interface.

zone before push

dnscontrol-issue-3018-debug.com.	86400	IN	SOA	a.ns14.net. do-not-reply.dnscontrol-issue-3018-debug.com. 2024071112 43200 7200 1209600 86400
dnscontrol-issue-3018-debug.com.	86400	IN	NS	a.ns14.net.
dnscontrol-issue-3018-debug.com.	86400	IN	NS	b.ns14.net.
dnscontrol-issue-3018-debug.com.	86400	IN	NS	c.ns14.net.
dnscontrol-issue-3018-debug.com.	86400	IN	NS	d.ns14.net.
first-record.dnscontrol-issue-3018-debug.com.	300	IN	A	1.2.3.4
second-record.dnscontrol-issue-3018-debug.com.	86400	IN	A	9.8.7.6

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol push

******************** Domain: dnscontrol-issue-3018-debug.com
1 correction (autodns)
#1: 6 records not being deleted because of IGNORE*():
    first-record.dnscontrol-issue-3018-debug.com. A 1.2.3.4
    second-record.dnscontrol-issue-3018-debug.com. A 9.8.7.6
    dnscontrol-issue-3018-debug.com. NS a.ns14.net.
    dnscontrol-issue-3018-debug.com. NS b.ns14.net.
    dnscontrol-issue-3018-debug.com. NS c.ns14.net.
    ...and 1 more... (use --full to show all)
5 records that are both IGNORE*()'d and not ignored:
    first-record.dnscontrol-issue-3018-debug.com A 1.2.3.4
    dnscontrol-issue-3018-debug.com NS a.ns14.net.
    dnscontrol-issue-3018-debug.com NS b.ns14.net.
    dnscontrol-issue-3018-debug.com NS c.ns14.net.
    dnscontrol-issue-3018-debug.com NS d.ns14.net.
+ CREATE dnscontrol-issue-3018-debug.com NS a.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS b.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS c.ns14.net. ttl=300
+ CREATE dnscontrol-issue-3018-debug.com NS d.ns14.net. ttl=300
Zone update for dnscontrol-issue-3018-debug.com
SUCCESS!
Done. 1 corrections.

zone after push

dnscontrol-issue-3018-debug.com.	300	IN	SOA	a.ns14.net. do-not-reply.dnscontrol-issue-3018-debug.com. 2024071113 43200 7200 1209600 300
dnscontrol-issue-3018-debug.com.	300	IN	NS	a.ns14.net.
dnscontrol-issue-3018-debug.com.	300	IN	NS	b.ns14.net.
dnscontrol-issue-3018-debug.com.	300	IN	NS	c.ns14.net.
dnscontrol-issue-3018-debug.com.	300	IN	NS	d.ns14.net.
first-record.dnscontrol-issue-3018-debug.com.	300	IN	A	1.2.3.4

-> second-record is gone, but the push (als also preview) showed it should be ignored.

At this point I think I can save myself the second issue, because the behavior here is exactly the same as with "DOMAIN_ELSEWHERE_AUTO", the only difference is that with "DOMAIN_ELSEWHERE_AUTO" "MODIFY" of the NS entries is displayed correctly, whereas with "D" it is displayed as "CREATE". The error therefore seems to be anchored deeper in the code.

I hope your mouse wheels are still working now :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arnoschoon @tlimoncelli @lug-gh