Underscore in CNAME records

BossRoss · January 07, 2014, 02:27:25 PM

I am unable to add a CNAME record with an underscore in either the hostname or the address. It's a DKIM/DMARC application wherein the TXT record supports the underscore, but the client is specifically requesting support for the CNAME to a third party provider. Any help? FWIW - Just finished upgrading to 2.21 anticipating the suggestion to update. Thanks.

matt · January 07, 2014, 02:38:37 PM

What happens when you try to create it?

My suspicion is that you did not do a 'make install' after upgrading the server and client components of NicTool. Did you restart Apache after the 'make install' steps? If so, then you should be able to have name and address fields that are prefixed by underscores.

The underscore is specifically allowed in the name field when the record type is SRV, TXT, SPF, and NS (RFC 5016).

PS: I have DKIM and DMARC records set up for quite a few of my domains, so I'm pretty sure NicTool is capable. :-)

BossRoss · January 07, 2014, 04:26:35 PM

I did the make install, and restarted Apache as well.

If I attempt an underscore in a CNAME record (e.g. _dmarc.client.com CNAME _dmarc.provider.com) I get a small red banner

Sanity Error
invalid character(s) in record name -- _
invalid character in record address --

You didn't explicitly list CNAME records. Are these not allowed? Robert

matt · January 07, 2014, 11:15:46 PM

Try this patch, which should allow the leading _ in CNAME records.

Code Select

diff --git a/server/lib/NicToolServer/Zone.pm b/server/lib/NicToolServer/Zone.pm
index 63ed72c..a3c7e28 100644
--- a/server/lib/NicToolServer/Zone.pm
+++ b/server/lib/NicToolServer/Zone.pm
@@ -1154,6 +1154,9 @@ sub valid_hostname {
         if ( $field eq 'name' && $type eq 'SRV' && $first_char eq '_' ) {
             # except for SRV
         }
+        elsif ( $type eq 'CNAME' && $first_char eq '_' ) {
+            # CNAME can delegate DMARC records, and perhaps others
+        }
         elsif ( $first_char =~ /[^a-zA-Z0-9]/ ) {
             $self->error( $field, "$warn_prefix must begin with a letter or digit: RFC 1912");
             $has_error++;
diff --git a/server/lib/NicToolServer/Zone/Record/Sanity.pm b/server/lib/NicToolServer/Zone/Record/Sanity
index 3530121..9ec7d36 100644
--- a/server/lib/NicToolServer/Zone/Record/Sanity.pm
+++ b/server/lib/NicToolServer/Zone/Record/Sanity.pm
@@ -548,7 +548,8 @@ sub get_invalid_chars {
     if ( $field eq 'name' ) {
         # allow _ char for SRV, NS (delegated SRV), SPF, & TXT (DKIM, DMARC)
         # DKIM: delegated _domainkey in RFC 5016, 5.3
-        return '[^a-zA-Z0-9\-\._]' if $type =~ /^(?:SRV|TXT|SPF|NS)$/;
+        # CNAME: delegated _dmarc (and perhaps other uses)
+        return '[^a-zA-Z0-9\-\._]' if $type =~ /^(?:SRV|TXT|SPF|NS|CNAME)$/;
 
         # DNS & BIND, 4.5: Names that are not host names can consist of any
         # printable ASCII character. I feel like this is providing enough rope

BossRoss · January 08, 2014, 02:51:41 PM

Patch applied. Re-run Makefile.PL; make install clean. Sanity fails on address with "_".

matt · January 08, 2014, 02:58:17 PM

Please post the exact error messages so I can see which test(s) fail.

Don't forget to restart Apache.

BossRoss · January 08, 2014, 03:53:55 PM

Apache was restarted. Error is
Sanity Error
invalid character in record address --

No character is indicated it looks like. Address is formatted "_dmarc.m.provider.com.".

matt · January 08, 2014, 04:01:59 PM

okay, the previous patch only allowed _ in the name field of CNAME entries. This allows it in the address as well:

Code Select


diff --git a/server/lib/NicToolServer/Zone/Record/Sanity.pm b/server/lib/NicToolServer/Zone/Record/Sanity.pm
index 3530121..9797085 100644
--- a/server/lib/NicToolServer/Zone/Record/Sanity.pm
+++ b/server/lib/NicToolServer/Zone/Record/Sanity.pm
@@ -545,16 +545,17 @@ sub get_invalid_chars {
     return '[^a-fA-F0-9:]' if $type eq 'AAAA' && $field eq 'address';
     return '[^0-9\.]'      if $type eq 'A'    && $field eq 'address';
 
-    if ( $field eq 'name' ) {
-        # allow _ char for SRV, NS (delegated SRV), SPF, & TXT (DKIM, DMARC)
-        # DKIM: delegated _domainkey in RFC 5016, 5.3
-        return '[^a-zA-Z0-9\-\._]' if $type =~ /^(?:SRV|TXT|SPF|NS)$/;
-
-        # DNS & BIND, 4.5: Names that are not host names can consist of any
-        # printable ASCII character. I feel like this is providing enough rope
-        # for users to hang themselves. The code is here, but disabled.
-        #return '[^ -~]' if $type !~ /^(?:A|AAAA|MX|LOC|SPF|SSHFP)$/;
-    };
+    # allow _ char for SRV, NS (delegated SRV), SPF, & TXT (DKIM, DMARC)
+    # DKIM: delegated _domainkey in RFC 5016, 5.3
+    # CNAME: delegated _dmarc (and perhaps other uses)
+    return '[^a-zA-Z0-9\-\._]' if $type =~ /^(?:SRV|TXT|SPF|NS|CNAME)$/;
+
+    # DNS & BIND, 4.5: Names that are not host names can consist of any
+    # printable ASCII character. I feel like this is providing enough rope
+    # for users to hang themselves. The code is here, but disabled.
+#   if ( $field eq 'name' ) {
+#       return '[^ -~]' if $type !~ /^(?:A|AAAA|MX|LOC|SPF|SSHFP)$/;
+#   };
 
     # allow / in reverse zones, for both name & address: RFC 2317
     return '[^a-zA-Z0-9\-\.\/]' if $zone_text =~ /(in-addr|ip6)\.arpa[\.]{0,1}$/i;

BossRoss · January 09, 2014, 10:28:14 AM

Perfect. Thanks. Robert