virtualmin modify-dns --spf-remove-ip4

Hello Folks!

I found a bug, when trying to modify spf record, a new spf recored is added with the modification and the old spf record remains.

Webmin version 1.630 Virtualmin version 4.00.gpl GPL

I did not notice if from before, just weeks before going into production, now postponed till it is solved.

Checking current SPF record:

[root@lina scripts]# virtualmin get-dns --domain ing-steen.se | grep SPF
ing-steen.se.                  SPF   v=spf1 a mx a:ing-steen.se ip4:80.84.37.
[root@lina scripts]#

[root@lina scripts]# grep spf /var/named/chroot/var/named/master/ing-steen.se.hosts
ing-steen.se.   IN      TXT     "v=spf1 a mx a:ing-steen.se ip4:80.84.37.8 ip4:80.84.37.6 ip4:80.84.37.7 ?all"

Modifying it:

[root@lina scripts]# virtualmin modify-dns --domain ing-steen.se --spf-remove-ip4 80.84.37.8
Updating server ing-steen.se ..
    Updating SPF record ..
    .. done

.. done

Re-starting DNS server ..
.. done

[root@lina scripts]#

Checking what happened:

[root@lina scripts]# virtualmin get-dns --domain ing-steen.se | grep SPF
ing-steen.se.                  SPF   v=spf1 a mx a:ing-steen.se ip4:80.84.37.
ing-steen.se.                  SPF   v=spf1 a mx a:ing-steen.se ip4:80.84.37.
[root@lina scripts]#

[root@lina scripts]# grep spf /var/named/chroot/var/named/master/ing-steen.se.hosts
ing-steen.se.   IN      TXT     "v=spf1 a mx a:ing-steen.se ip4:80.84.37.8 ip4:80.84.37.6 ip4:80.84.37.7 ?all"
ing-steen.se.   IN      TXT     "v=spf1 a mx a:ing-steen.se ip4:80.84.37.6 ip4:80.84.37.7 ?all"
Status: 
Closed (fixed)

Comments

This looks like a bug.

What does the spf_record= line in the /etc/webmin/bind8/config file contain on your system?

This is a duplicate of http://virtualmin.com/node/27637 "[bug] spf record doubled".

Would be best to move this discussion there? Just click edit on your post, copy the code and paste it over there.

Your precise steps and zone file lines are very valuable and now show that it's Virtualmin that doesn't properly replace the old txt line.

Hello Folks! I got Permission denied when I try open the other link,

However my spf_record=0 in /etc/webmin/bind8/config

Try changing that line to spf_record=1 , and let us know if the problem still occurs.

Hello Folks!

I changed to spf_record=1

Result is the same as before, new spf record is added in the dns zonefile instead of just updating it as expected.

Hello Folks!

I did try again, it was false positive, changing to spf_record=1 corrects the problem for me.

However a new record never seen before is added, "ID SPF": dumperjakob.se. IN TXT "v=spf1 a mx a:dumperjakob.se ip4:80.84.37.6 ip4:80.84.37.7 ~all" dumperjakob.se. IN SPF "v=spf1 a mx a:dumperjakob.se ip4:80.84.37.6 ip4:80.84.37.7 ~all"

I tried to change around a bit, now only one record is there at all time, well those two above :-)

I suspect that a fundamental change needs to be done to how Virtualmin scans for pre-existing SPF records.

It needs to scan every SPF and TXT record for the zone itself (just the domain, NOT subdomains), and see if anything begins with "v=spf1", and if so then treat that as the current SPF record whenever editing/deleting.

Take this example:

example.net.    IN    SPF    "v=spf1 include:_spf.example.net -all"
example.net.    IN    TXT    "v=spf1 include:_spf.example.net -all"
_spf.example.net.    IN    SPF    "v=spf1 a:mxf1.examplemail.com/24 a:mx1.example.net ?all"
_spf.example.net.    IN    TXT    "v=spf1 a:mxf1.examplemail.com/24 a:mx1.example.net ?all"

In that example, it should detect the first two entries as the SPF record for the domain. In case they are de-synced, give precedence to the SPF record (rather than the TXT record), as SPF is the 1st record that querying servers look for and use (DNS query order is: type:SPF, otherwise ask for type:TXT, otherwise fail).

I am assuming that Virtualmin makes a lot of assumptions about the old record, i.e. expecting it to be the exact same record/line that it had inserted previously, etc.

But there can only be 1 SPF/TXT record per domain, so no need to assume anything, just scan for all "v=spf1" records that are in the zone.

aitte - the current behavior is that it just looks for the first SPF or TXT record in SPF format for the domain (not sub-domains), and uses that, When saving, the first SPF and TXT records that start with v=spf1 (for the domain) are updated.

Ahh, so you're already using that process for finding the record. Great to hear.

Makes me even more confused about why there are duplicates... I'd expect the full process to be: 1. Find the old record, 2. Edit it in-place.

Sounds quite simple. Oh well I'll continue to watch this ticket, as I am interested in the conclusion as well.

So there was a Virtualmin bug that caused the original issue of duplicates - setting spf_record=1 works around it. The next release will include a proper fix.

Automatically closed -- issue fixed for 2 weeks with no activity.