[bug] spf doubling the update

Hello people, I was trying to modify the SPF by API, and realized that it is duplicated. In DNS records. See attached image.

I tried on two machines, they have the same problem.

By modifying the UI-Virtualmin in "DNS options" set to disallow, the same problem happens.

The SPF record is duplicated. Note: If you try to delete one, the two leave.

It seems that this is not normal.

bye, sorry English.

Status: 
Active

Comments

Complement. to run

"host-t TXT domain.com.br"

appears only one.

Complement. to run

host-t TXT domain.com.br

Appears only one.

Can you attach the actual zone file for this domain to the bug report? I'd like to see what records are in there.

It is possible that there are two records - one with SPF type, and one TXT. This is actually expected.

Like Jamie said, this is possibly two separate records you are seeing; one that's of actual type "SPF" and one older "TXT" type. This is intended. SPF is the newer dedicated SPF record type, and TXT is the older type. Both are added (and they contain identical data) to ensure both backwards- and future-compatibility.

Perhaps the DNS Records list should be enhanced to change from:

Type
SPF - Sender Permitted From
SPF - Sender Permitted From

to:

Type
SPF (SPF) - Sender Permitted From
SPF (TXT) - Sender Permitted From

or something to that effect.

I suppose you want the zone dns domain. Is attached.

It is a test machine I have with virtualbox. The problem also shows in real servers.

Okay that's definitely an issue. Those are 3 different SPF records all of type "TXT". There should only be 1 SPF (TXT) record, and possibly also 1 optional SPF (SPF) record. Even more confusingly, two of the 3 records have identical content... hmm...

In your Virtualmin: System Settings: Server Templates, open up your template and look under "BIND DNS Domain". Is "Add SPF DNS record?" set to "Yes, with server's IP address"? That might at least explain 1 of the 3 records.

Perhaps attempting to edit the SPF (TXT) record via the API is then causing the "Add SPF DNS record" to further freak out and re-add the original, causing the 2nd duplicate?

The 3rd record could be the edit you were attempting to make.

I'm not saying this is exactly what happened but something along those lines seems to be happening here.

What happens if you try disabling the "Add SPF DNS record" option, delete all 3 SPF (TXT) records that are there right now, and then try using the API to add your own SPF (TXT) record from scratch? I assume you would correctly get only a single record then.

If that works, then try re-enabling the "Add SPF DNS record" option and try doing the edit again. If that's indeed the option that's bugging things out, then I expect you to end up with 3 records again.

Yes, that's exactly what happened. The SPF record is changed in 3 places.

1) In Bind DNs domain - "Add SPF DNS record" 2) DNS Options in domain 3) via api

Removed register via "Api" and "DNS Options in domain" still left 1 record spf. Add SPF DNS record is now disabled!

I think the problem is in how you were using the API to edit the records, combined with the behavior of the "Add SPF DNS record" option.

The fact is that DNS zones are allowed to have multiple TXT records with different content for the same resource "label". I.e. this is totally valid:

mydomain.com. IN TXT "hi there, thanks for querying my DNS!"
mydomain.com. IN TXT "v=spf1 include:_spf.mydomain.com -all"
mydomain.com. IN TXT "virtualmin is pretty neat!"

There is no limitation for the number of TXT records per resource label. Only that they must all be unique.

So, if you tell the API to "add" a TXT record for "mydomain.com", it will NOT delete any of the old TXT records for that resource label, because that would be improper behavior.

This process explains 2 of your 3 records. It does not explain the duplication (that is a genuine bug because you are only allowed to have unique TXT record contents).

So what happens is:

  1. The "ADD SPF DNS record" option adds its SPF(TXT) record.

  2. Your "add" API call is adding a new, extra SPF(TXT) record.

  3. You now have 2 records. I don't know what the 3rd duplicated record is from.

I think the fix will be two things for Jamie:

  1. Find out why there was duplication; you should never allow multiple TXT records with identical contents under any circumstances. In this case it was probably either caused by the "Add DNS SPF record" freaking out and re-adding a record that already existed when he wanted to edit the existing record, or possibly he added both via the API during testing. Either way, make sure the "Add DNS SPF record" does not conflict with manual editing and also change the low-level DNS-zone editing functions so that they never add duplicate TXT records no matter the source of the edit-function call.

  2. Whenever the API is used to "add" a TXT record starting with "v=spf1...", then look for an existing SPF (TXT) record in that zone and delete it, to avoid getting multiple SPF (TXT) records in the zone. Because while it's legal to have multiple TXT records, it's not legal to have multiple SPF(TXT) records.