SOA and NAMESERVER questions

66 views

Skip to first unread message

Steven Vernick

unread,

May 27, 2021, 12:28:24 PM5/27/21

to DNSControl-discuss

Hello,

I am developing a provider for Akamai's Edge DNS.

I've got up-to-date DnsControl source:

$ date

Thu May 27 12:22:25 EDT 2021

$ git pull

Already up to date.

$ /Users/svernick/go/bin/dnscontrol -v version

dnscontrol v3.9.0-dev

Edge DNS automatically creates SOA and top-level NS records. SOA should not be managed by DnsControl:

providers.CanUseSOA: providers.Cannot(),

Edge DNS has a REST API.

This is a new top-level zone (svernick.net):

$ http --auth-type edgegrid -a svernick_cloud_sqa: ":/config-dns/v2/zones/svernick.net/recordsets"

HTTP/1.1 200 OK

{

"recordsets": [

{

"name": "svernick.net",

"rdata": [

"a1-106.akam.net. hostmaster.svernick.net. 2021051914 3600 600 604800 300"

"ttl": 86400,

"type": "SOA"

{

"name": "svernick.net",

"rdata": [

"a1-106.akam.net.",

"a12-65.akam.net.",

"a2-66.akam.net.",

"a22-67.akam.net.",

"a7-64.akam.net.",

"a9-65.akam.net."

"ttl": 86400,

"type": "NS"

}

]

}

This is my dnsconfig.js:

var REG_NONE = NewRegistrar('none', 'NONE'); // No registrar.

var DNS_AKAMAI = NewDnsProvider('akamai', 'AKAMAI');

D('svernick.net', REG_NONE, DnsProvider(DNS_AKAMAI),

);

I would expect DnsControl to not change the existing SOA or NS records.

This is DnsControl preview output:

$ /Users/svernick/go/bin/dnscontrol -v preview

******************** Domain: svernick.net

----- Getting nameservers from: akamai

----- DNS Provider: akamai...2 corrections

#1: DELETE SOA svernick.net a1-106.akam.net. hostmaster.svernick.net. 3600 600 604800 300 ttl=86400

#2: MODIFY NS svernick.net: (a9-65.akam.net. ttl=86400) -> (a9-65.akam.net. ttl=300)

MODIFY NS svernick.net: (a7-64.akam.net. ttl=86400) -> (a7-64.akam.net. ttl=300)

MODIFY NS svernick.net: (a22-67.akam.net. ttl=86400) -> (a22-67.akam.net. ttl=300)

MODIFY NS svernick.net: (a2-66.akam.net. ttl=86400) -> (a2-66.akam.net. ttl=300)

MODIFY NS svernick.net: (a12-65.akam.net. ttl=86400) -> (a12-65.akam.net. ttl=300)

MODIFY NS svernick.net: (a1-106.akam.net. ttl=86400) -> (a1-106.akam.net. ttl=300)

----- Registrar: none...0 corrections

Done. 2 corrections.

Issue 1. Delete SOA:

DnsControl should not delete the SOA record. If I try to add the matching SOA to dnsconfig.js:

D('svernick.net', REG_NONE, DnsProvider(DNS_AKAMAI),

SOA("@", "a1-106.akam.net.", "hostmaster.svernick.net.", 3600, 600, 604800, 300, TTL(86400))

);

then I correctly get an error:

$ /Users/svernick/go/bin/dnscontrol -v preview

2021/05/27 11:36:35 printIR.go:88: 1 Validation errors:

2021/05/27 11:36:35 printIR.go:94: ERROR: domain svernick.net uses SOA records, but DNS provider type AKAMAI does not support them

exiting due to validation errors

So, I am forced to change "CanUseSOA" to prevent deletion of the SOA record:

providers.CanUseSOA: providers.Can(),

With these changes, DnsControl no longer tries to delete the automatically-generated SOA record:

$ /Users/svernick/go/bin/dnscontrol -v preview

******************** Domain: svernick.net

----- Getting nameservers from: akamai

----- DNS Provider: akamai...1 correction

#1: MODIFY NS svernick.net: (a9-65.akam.net. ttl=86400) -> (a9-65.akam.net. ttl=300)

MODIFY NS svernick.net: (a7-64.akam.net. ttl=86400) -> (a7-64.akam.net. ttl=300)

MODIFY NS svernick.net: (a22-67.akam.net. ttl=86400) -> (a22-67.akam.net. ttl=300)

MODIFY NS svernick.net: (a2-66.akam.net. ttl=86400) -> (a2-66.akam.net. ttl=300)

MODIFY NS svernick.net: (a12-65.akam.net. ttl=86400) -> (a12-65.akam.net. ttl=300)

MODIFY NS svernick.net: (a1-106.akam.net. ttl=86400) -> (a1-106.akam.net. ttl=300)

----- Registrar: none...0 corrections

Done. 1 corrections.

Issue 2: NS modifications

DnsControl should not modify the automatically-generated top-level NS records.

To prevent modification, I am forced to specify the TTL in dnsconfig.js:

D('svernick.net', REG_NONE, DnsProvider(DNS_AKAMAI),

SOA("@", "a1-106.akam.net.", "hostmaster.svernick.net.", 3600, 600, 604800, 300, TTL(86400)),

NAMESERVER_TTL(86400)

);

With this change, DnsControl no longer tries to modify the automatically-generated NS records:

$ /Users/svernick/go/bin/dnscontrol -v preview

******************** Domain: svernick.net

----- Getting nameservers from: akamai

----- DNS Provider: akamai...0 corrections

----- Registrar: none...0 corrections

Done. 0 corrections.

Issue 3: NS duplication

"Javascript DSL" says:

"If dnsconfig.js has 1 or more NAMESERVER() commands for a domain, it will use the API to add those nameservers (unless, of course, they already exist)."

To test this, I add a NAMESERVER() command for an existing NS record:

D('svernick.net', REG_NONE, DnsProvider(DNS_AKAMAI),

SOA("@", "a1-106.akam.net.", "hostmaster.svernick.net.", 3600, 600, 604800, 300, TTL(86400)),

NAMESERVER_TTL(86400),

NAMESERVER("a9-65.akam.net.")

);

DnsControl tries to add a new NS record:

$ /Users/svernick/go/bin/dnscontrol -v preview

******************** Domain: svernick.net

----- Getting nameservers from: akamai

----- DNS Provider: akamai...1 correction

#1: CREATE NS svernick.net a9-65.akam.net. ttl=86400

----- Registrar: none...0 corrections

Done. 1 corrections.

This is because "DetermineNameservers" (nameservers.go):

-- Gets configured nameservers from dnsconfig.js (line 17):

// always take explicit
ns := dc.Nameservers

-- Gets existing nameservers from the provider (line 25):

nss, err := dnsProvider.Driver.GetNameservers(dc.Name)

-- Concatenates the two lists (slices) without removing duplicates (line 43):

for i := 0; i < take; i++ {
ns = append(ns, nss[i])
}

Are these bugs? If so, how do I submit bug reports? If not, please provide further information.

Thank you!

/Steve

Tom Limoncelli

unread,

May 27, 2021, 3:20:23 PM5/27/21

to Steven Vernick, DNSControl-discuss

Hi Steven!

Super excited that you're developing this provider!

Yes, please file bugs on https://github.com/StackExchange/dnscontrol/issues and of course, discussing issues on this mailing list is always welcome.

Comments inline:

Many providers do this. To restate the issue: They don't let you modify the SOA, but when downloading the zone records they provide an SOA.

The way to handle that? Skip (ignore) the SOA record when you receive one.

Examples:

providers/oracle/oracleProvider.go:170 (ignores it in GetZoneRecords)
providers/msdns/convert.go:108 (zaps it when converting to RecordConfig)

Issue 2: NS modifications
DnsControl should not modify the automatically-generated top-level NS records.

To prevent modification, I am forced to specify the TTL in dnsconfig.js:
D('svernick.net', REG_NONE, DnsProvider(DNS_AKAMAI),
SOA("@", "a1-106.akam.net.", "hostmaster.svernick.net.", 3600, 600, 604800, 300, TTL(86400)),
NAMESERVER_TTL(86400)
);

With this change, DnsControl no longer tries to modify the automatically-generated NS records:
$ /Users/svernick/go/bin/dnscontrol -v preview
******************** Domain: svernick.net
----- Getting nameservers from: akamai
----- DNS Provider: akamai...0 corrections
----- Registrar: none...0 corrections
Done. 0 corrections.

I'm pretty sure you can just ignore NS records the same way. You probably only want to ignore the ones at the domain apex, since I presume subdomain NS records are permitted.

That's interesting!

I'm not exactly sure why it works that way. My hunch is that 5+ years ago when we designed it we didn't think anyone would add a NAMESERVER() statement unless it was actually needed. Removing duplicates is probably the right thing to do, since DNS doesn't permit duplicate (exact duplicate) records.

I don't think duplicate-removal would break anything, but I'm not sure if changing it is for the better. For example, it might be better to encourage people to not include records that aren't needed.