[Freeipa-users] Re: TXT - SPF & DKIM
On Wed, 26 Jul 2023 10:39:58 -0400 Rob Crittenden via FreeIPA-users wrote: > lejeczek via FreeIPA-users wrote: > > > > > > On 26/07/2023 11:07, Jernej Jakob wrote: > >> I don't see the behavior you describe, for example I have DKIN records > >> in the format: > >> > >> "v=DKIM1; k=rsa; t=s; " "p=MIIB..." "..." > >> > >> where "..." is the public key split into multiple chunks of > >> arbitraty length to make it more readable in the FreeIPA WebUI (it has a > >> bug where it doesn't line break long text into multiple lines, but it > >> does line breaks on whitespace) > >> > >> If I dig this record I get exactly the data I entered into the text > >> record box in FreeIPA WebUI. The spaces are left intact in the quoted > >> string. So I don't know how your system behaves as you describe, maybe > >> it's different between versions? > >> > >> If I enter data without quotes, for example 'v=spf1 mx -all' (without > >> the single quotes) dig will return "v=spf1" "mx" "-all", maybe that's > >> what you're seeing? > >> > >> On Wed, 26 Jul 2023 08:57:50 +0200 > >> lejeczek via FreeIPA-users wrote: > >> > >>> On 24/07/2023 10:13, Jernej Jakob wrote: > On Sun, 23 Jul 2023 14:22:48 +0200 > lejeczek via FreeIPA-users > wrote: > > > Hi guys. > > > > Would you know a correct or best-practice way to add such > > records. > > When I look at how those resolve for some(a few a tried) > > well-know domains - in order to get the same/similar with > > IPA it seems, that I have to escape some chars, name > > white-spaces. > > Is that normal/expected - it did not feel as such to me. > > > > many thanks, L. > Put double quotes around the text. You can also split it into multiple > quoted strings separated by whitespace. It will be served as-is. > > If the record has text and whitespace that is not quoted, each string > separated by whitespace will be quoted separately. After the client > concatenates the result the whitespaces will be lost. That's probably > what you're experiencing. > > https://kb.isc.org/docs/aa-00356 > >>> That is what I meant - perhaps vaguely enough - that quotes, > >>> single or double did not do, I still had to escape > >>> white-spaces otherwise each such space did create separate > >>> sting - at least _dig_ shows it that way. > >>> VERSION: 4.10.1, API_VERSION: 2.251 > >>> ___ > >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >>> To unsubscribe send an email to > >>> freeipa-users-le...@lists.fedorahosted.org > >>> Fedora Code of Conduct: > >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> List Archives: > >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >>> > >>> Do not reply to spam, report it: > >>> https://pagure.io/fedora-infrastructure/new_issue > > in/with CLI it seems to be a 'must: > > ...-txt-rec='v=spf1\ mx\ a\ ip4:aa.bb.cc.dd\ a:mail.dom.mine\ -all' > > otherwise, without escaping, such record resolves to: > > "v=spf1" "mx" "a" "ip4:..." . > > as oppose to one string - which was what I expected. > > So.. it works, there is a way to have it set "correctly" but - if devel > > reads this - it's somewhat counter-intuitive, the quoting is. > > I'm no DNS expert, but I think you need the double quotes around the > value. This is also needed with flat files. > > You can do this by using wrapping the double-quote in single quotes: > > $ ipa -vvv dnsrecord-add example.test test --txt-rec='"v=spf1 mx a > ip4:aa.bb.cc.dd a:mail.dom.mine -all"' > ... > $ dig +short -t txt test.example.test. > "v=spf1 mx a ip4:aa.bb.cc.dd a:mail.dom.mine -all" > > rob > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue Indeed, it seems like BIND takes the value presented to it via bind-dyndb-ldap as a literal replacement of what it would otherwise see in a zone file. FreeIPA doesn't do any "prettying" modification or automatic quoting of a TXT value. I think that's the best way, but might be unintuitive for someone who doesn't expect it and is used to the way other cloud DNS providers do it, which is usually to insert the quotes around the value. So with FreeIPA you have to insert double quotes, like I and Rob pointed out in shell you can single quote the double quoted string and not lose the
[Freeipa-users] Re: TXT - SPF & DKIM
lejeczek via FreeIPA-users wrote: > > > On 26/07/2023 11:07, Jernej Jakob wrote: >> I don't see the behavior you describe, for example I have DKIN records >> in the format: >> >> "v=DKIM1; k=rsa; t=s; " "p=MIIB..." "..." >> >> where "..." is the public key split into multiple chunks of >> arbitraty length to make it more readable in the FreeIPA WebUI (it has a >> bug where it doesn't line break long text into multiple lines, but it >> does line breaks on whitespace) >> >> If I dig this record I get exactly the data I entered into the text >> record box in FreeIPA WebUI. The spaces are left intact in the quoted >> string. So I don't know how your system behaves as you describe, maybe >> it's different between versions? >> >> If I enter data without quotes, for example 'v=spf1 mx -all' (without >> the single quotes) dig will return "v=spf1" "mx" "-all", maybe that's >> what you're seeing? >> >> On Wed, 26 Jul 2023 08:57:50 +0200 >> lejeczek via FreeIPA-users wrote: >> >>> On 24/07/2023 10:13, Jernej Jakob wrote: On Sun, 23 Jul 2023 14:22:48 +0200 lejeczek via FreeIPA-users wrote: > Hi guys. > > Would you know a correct or best-practice way to add such > records. > When I look at how those resolve for some(a few a tried) > well-know domains - in order to get the same/similar with > IPA it seems, that I have to escape some chars, name > white-spaces. > Is that normal/expected - it did not feel as such to me. > > many thanks, L. Put double quotes around the text. You can also split it into multiple quoted strings separated by whitespace. It will be served as-is. If the record has text and whitespace that is not quoted, each string separated by whitespace will be quoted separately. After the client concatenates the result the whitespaces will be lost. That's probably what you're experiencing. https://kb.isc.org/docs/aa-00356 >>> That is what I meant - perhaps vaguely enough - that quotes, >>> single or double did not do, I still had to escape >>> white-spaces otherwise each such space did create separate >>> sting - at least _dig_ shows it that way. >>> VERSION: 4.10.1, API_VERSION: 2.251 >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue > in/with CLI it seems to be a 'must: > ...-txt-rec='v=spf1\ mx\ a\ ip4:aa.bb.cc.dd\ a:mail.dom.mine\ -all' > otherwise, without escaping, such record resolves to: > "v=spf1" "mx" "a" "ip4:..." . > as oppose to one string - which was what I expected. > So.. it works, there is a way to have it set "correctly" but - if devel > reads this - it's somewhat counter-intuitive, the quoting is. I'm no DNS expert, but I think you need the double quotes around the value. This is also needed with flat files. You can do this by using wrapping the double-quote in single quotes: $ ipa -vvv dnsrecord-add example.test test --txt-rec='"v=spf1 mx a ip4:aa.bb.cc.dd a:mail.dom.mine -all"' ... $ dig +short -t txt test.example.test. "v=spf1 mx a ip4:aa.bb.cc.dd a:mail.dom.mine -all" rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: TXT - SPF & DKIM
On 26/07/2023 11:07, Jernej Jakob wrote: I don't see the behavior you describe, for example I have DKIN records in the format: "v=DKIM1; k=rsa; t=s; " "p=MIIB..." "..." where "..." is the public key split into multiple chunks of arbitraty length to make it more readable in the FreeIPA WebUI (it has a bug where it doesn't line break long text into multiple lines, but it does line breaks on whitespace) If I dig this record I get exactly the data I entered into the text record box in FreeIPA WebUI. The spaces are left intact in the quoted string. So I don't know how your system behaves as you describe, maybe it's different between versions? If I enter data without quotes, for example 'v=spf1 mx -all' (without the single quotes) dig will return "v=spf1" "mx" "-all", maybe that's what you're seeing? On Wed, 26 Jul 2023 08:57:50 +0200 lejeczek via FreeIPA-users wrote: On 24/07/2023 10:13, Jernej Jakob wrote: On Sun, 23 Jul 2023 14:22:48 +0200 lejeczek via FreeIPA-users wrote: Hi guys. Would you know a correct or best-practice way to add such records. When I look at how those resolve for some(a few a tried) well-know domains - in order to get the same/similar with IPA it seems, that I have to escape some chars, name white-spaces. Is that normal/expected - it did not feel as such to me. many thanks, L. Put double quotes around the text. You can also split it into multiple quoted strings separated by whitespace. It will be served as-is. If the record has text and whitespace that is not quoted, each string separated by whitespace will be quoted separately. After the client concatenates the result the whitespaces will be lost. That's probably what you're experiencing. https://kb.isc.org/docs/aa-00356 That is what I meant - perhaps vaguely enough - that quotes, single or double did not do, I still had to escape white-spaces otherwise each such space did create separate sting - at least _dig_ shows it that way. VERSION: 4.10.1, API_VERSION: 2.251 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue in/with CLI it seems to be a 'must: ...-txt-rec='v=spf1\ mx\ a\ ip4:aa.bb.cc.dd\ a:mail.dom.mine\ -all' otherwise, without escaping, such record resolves to: "v=spf1" "mx" "a" "ip4:..." . as oppose to one string - which was what I expected. So.. it works, there is a way to have it set "correctly" but - if devel reads this - it's somewhat counter-intuitive, the quoting is. thanks, L. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: TXT - SPF & DKIM
On Wed, 26 Jul 2023 11:07:17 +0200 Jernej Jakob via FreeIPA-users wrote: > I don't see the behavior you describe, for example I have DKIN records > in the format: > > "v=DKIM1; k=rsa; t=s; " "p=MIIB..." "..." > > where "..." is the public key split into multiple chunks of > arbitraty length to make it more readable in the FreeIPA WebUI (it has a > bug where it doesn't line break long text into multiple lines, but it > does line breaks on whitespace) > > If I dig this record I get exactly the data I entered into the text > record box in FreeIPA WebUI. The spaces are left intact in the quoted > string. So I don't know how your system behaves as you describe, maybe > it's different between versions? > > If I enter data without quotes, for example 'v=spf1 mx -all' (without > the single quotes) dig will return "v=spf1" "mx" "-all", maybe that's > what you're seeing? > > On Wed, 26 Jul 2023 08:57:50 +0200 > lejeczek via FreeIPA-users wrote: > > > On 24/07/2023 10:13, Jernej Jakob wrote: > > > On Sun, 23 Jul 2023 14:22:48 +0200 > > > lejeczek via FreeIPA-users wrote: > > > > > >> Hi guys. > > >> > > >> Would you know a correct or best-practice way to add such > > >> records. > > >> When I look at how those resolve for some(a few a tried) > > >> well-know domains - in order to get the same/similar with > > >> IPA it seems, that I have to escape some chars, name > > >> white-spaces. > > >> Is that normal/expected - it did not feel as such to me. > > >> > > >> many thanks, L. > > > Put double quotes around the text. You can also split it into multiple > > > quoted strings separated by whitespace. It will be served as-is. > > > > > > If the record has text and whitespace that is not quoted, each string > > > separated by whitespace will be quoted separately. After the client > > > concatenates the result the whitespaces will be lost. That's probably > > > what you're experiencing. > > > > > > https://kb.isc.org/docs/aa-00356 > > That is what I meant - perhaps vaguely enough - that quotes, > > single or double did not do, I still had to escape > > white-spaces otherwise each such space did create separate > > sting - at least _dig_ shows it that way. > > VERSION: 4.10.1, API_VERSION: 2.251 > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue I forgot to add - FreeIPA VERSION: 4.9.11, API_VERSION: 2.251, I'm managing DNS through WebUI. Perhaps it's different in CLI, maybe you have to specially escape the double quotes so that they don't get removed by the shell? e.g. '"txt record data ..."' or "\"data ...\"" pgpY61kMwqDMy.pgp Description: OpenPGP digital signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: TXT - SPF & DKIM
I don't see the behavior you describe, for example I have DKIN records in the format: "v=DKIM1; k=rsa; t=s; " "p=MIIB..." "..." where "..." is the public key split into multiple chunks of arbitraty length to make it more readable in the FreeIPA WebUI (it has a bug where it doesn't line break long text into multiple lines, but it does line breaks on whitespace) If I dig this record I get exactly the data I entered into the text record box in FreeIPA WebUI. The spaces are left intact in the quoted string. So I don't know how your system behaves as you describe, maybe it's different between versions? If I enter data without quotes, for example 'v=spf1 mx -all' (without the single quotes) dig will return "v=spf1" "mx" "-all", maybe that's what you're seeing? On Wed, 26 Jul 2023 08:57:50 +0200 lejeczek via FreeIPA-users wrote: > On 24/07/2023 10:13, Jernej Jakob wrote: > > On Sun, 23 Jul 2023 14:22:48 +0200 > > lejeczek via FreeIPA-users wrote: > > > >> Hi guys. > >> > >> Would you know a correct or best-practice way to add such > >> records. > >> When I look at how those resolve for some(a few a tried) > >> well-know domains - in order to get the same/similar with > >> IPA it seems, that I have to escape some chars, name > >> white-spaces. > >> Is that normal/expected - it did not feel as such to me. > >> > >> many thanks, L. > > Put double quotes around the text. You can also split it into multiple > > quoted strings separated by whitespace. It will be served as-is. > > > > If the record has text and whitespace that is not quoted, each string > > separated by whitespace will be quoted separately. After the client > > concatenates the result the whitespaces will be lost. That's probably > > what you're experiencing. > > > > https://kb.isc.org/docs/aa-00356 > That is what I meant - perhaps vaguely enough - that quotes, > single or double did not do, I still had to escape > white-spaces otherwise each such space did create separate > sting - at least _dig_ shows it that way. > VERSION: 4.10.1, API_VERSION: 2.251 > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue pgprk8BPr8FJ5.pgp Description: OpenPGP digital signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: TXT - SPF & DKIM
On 24/07/2023 10:13, Jernej Jakob wrote: On Sun, 23 Jul 2023 14:22:48 +0200 lejeczek via FreeIPA-users wrote: Hi guys. Would you know a correct or best-practice way to add such records. When I look at how those resolve for some(a few a tried) well-know domains - in order to get the same/similar with IPA it seems, that I have to escape some chars, name white-spaces. Is that normal/expected - it did not feel as such to me. many thanks, L. Put double quotes around the text. You can also split it into multiple quoted strings separated by whitespace. It will be served as-is. If the record has text and whitespace that is not quoted, each string separated by whitespace will be quoted separately. After the client concatenates the result the whitespaces will be lost. That's probably what you're experiencing. https://kb.isc.org/docs/aa-00356 That is what I meant - perhaps vaguely enough - that quotes, single or double did not do, I still had to escape white-spaces otherwise each such space did create separate sting - at least _dig_ shows it that way. VERSION: 4.10.1, API_VERSION: 2.251 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: TXT - SPF & DKIM
On Sun, 23 Jul 2023 14:22:48 +0200 lejeczek via FreeIPA-users wrote: > Hi guys. > > Would you know a correct or best-practice way to add such > records. > When I look at how those resolve for some(a few a tried) > well-know domains - in order to get the same/similar with > IPA it seems, that I have to escape some chars, name > white-spaces. > Is that normal/expected - it did not feel as such to me. > > many thanks, L. Put double quotes around the text. You can also split it into multiple quoted strings separated by whitespace. It will be served as-is. If the record has text and whitespace that is not quoted, each string separated by whitespace will be quoted separately. After the client concatenates the result the whitespaces will be lost. That's probably what you're experiencing. https://kb.isc.org/docs/aa-00356 pgpDDtAjWLcuP.pgp Description: OpenPGP digital signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
