Designate

SOA record email address with a dot in the mailbox name is not handled right

Bug #1835409 reported by Olaf Seibert
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Designate
Confirmed
High
Unassigned

Bug Description

If you create a zone with an email address with a dot in the mailbox name, e.g.

openstack zone create example.com. --email "<email address hidden>"

then the dot in o.seibert is not handled correctly:

$ dig @ns03.cloud.syseleven.net. example.com SOA

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns03.cloud.syseleven.net. example.com SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58004
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;example.com. IN SOA

;; ANSWER SECTION:
example.com. 21600 IN SOA ns02.cloud.syseleven.net. o.seibert.xxsyselevenxx.de. 1562243380 21600 3600 259200 300

;; Query time: 7 msec
;; SERVER: 195.192.133.58#53(195.192.133.58)
;; WHEN: Thu Jul 04 12:29:48 UTC 2019
;; MSG SIZE rcvd: 126

The mailbox name should have its dot escaped, e.g. o\.seibert.xxsyselevenxx.de.
As it is, the SOA records represents the different email address <email address hidden>.

It can't be expected that the user specifies the email address in some pre-mangled form (and trying openstack zone create --email 'o\.<email address hidden>.' isn't even accepted).

I see this in the Ocata release, but looking at the source, this problem seems to exist also in today's HEAD:

./designate/schema/format.py:

@draft3_format_checker.checks("email")
@draft4_format_checker.checks("email")
def is_email(instance):
    if not isinstance(instance, compat.str_types):
        return True

    # A valid email address. We use the RFC1035 version of "valid".
    if instance.count('@') != 1:
        return False

    rname = instance.replace('@', '.', 1)

    if not re.match(RE_ZONENAME, "%s." % rname):
        return False

    return True

designate/central/service.py:

    # SOA Recordset Methods
    def _build_soa_record(self, zone, ns_records):
        return "%s %s. %d %d %d %d %d" % (ns_records[0]['hostname'],
                                          zone['email'].replace("@", "."),
                                          zone['serial'],
                                          zone['refresh'],
                                          zone['retry'],
                                          zone['expire'],
                                          zone['minimum'])

Both fragments replace the first @ by a . but don't do any other fixups.

Revision history for this message
Olaf Seibert (oseibert-sys11) wrote :

Note the text in rfc1035 (https://www.ietf.org/rfc/rfc1035.txt):

@ IN SOA VENERA Action\.domains (
                                 20 ; SERIAL
                                 7200 ; REFRESH
                                 600 ; RETRY
                                 3600000; EXPIRE
                                 60) ; MINIMUM
...

Note the use of the \ character in the SOA RR to specify the responsible
person mailbox "Action.domains@E.ISI.EDU".

Revision history for this message
Olaf Seibert (oseibert-sys11) wrote :

ping

Revision history for this message
Olaf Seibert (oseibert-sys11) wrote :

ping again

Revision history for this message
Michael Johnson (johnsom) wrote :

I can confirm this issue. Worse yet, if the user adds the '\' when using OSC, it is removed.

Changed in designate:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Olaf Seibert (oseibert-sys11) wrote :

ping again again

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.