Skip to content

[dns] Data validation and silent bind fail

cielito.system.dns does a named-checkconf, but it's not enough to ensure bind restart won't fail and worse, it may do it silently, just because of malformed records or data.

For instance, defining spf policy with:

  - { label: lists, type: TXT, rdata: "v=spf1 mx ptr a:mylistserver.mydom.org -all" }

won't brake the role execution but will (mis)lead to the following bind record:

lists 600 IN TXT "v=spf1" "mx" "ptr" "a:mylistserver.mydom.org" "-all"

which should be:

lists 600 IN TXT "v=spf1 mx ptr a:mylistserver.mydom.org -all"

To obtain such result, in the source yaml we must quote twice the value:

  - { label: lists, type: TXT, rdata: '"v=spf1 mx ptr a:mylistserver.mydom.org -all"' }

Contrairily, MX or SRV records should not be quoted twice, or bind will silently fail to load the zone (in console, errors reported in the log).

The role should accept data inn a syntax as simple and intuitive as possible and/or check syntax coherence.