• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Forwarded to devs DNS might generate an invalid zone file

H

H9k

Regular Pleskian
TITLE:
DNS might generate an invalid zone file
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk 17.5.3, Ubuntu 16.04, x64
PROBLEM DESCRIPTION:
It is possible to create TXT records that contain data that fails bind syntax check. On the next Bind restart, the zone gets unloaded and in Plesk there are no warnings about this, which means potentially that customers can make their domain unreachable after the zones hit expiry on the slave DNS servers.​
STEPS TO REPRODUCE:
Create TXT record with bogus data. In my case it was a 2048 bit DKIM record:
v=DKIM1; g=*; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqGYevV+7cC/VszRnPWD8FbnKGCLpKyKK0OhFX2YIfoQyzlG/8MQErz/XuoyAeErrNSYaPMqtq9mTJFxrmUOp11ZBVRieB3RHIlcPeOe1qyMja0IJQAWhCdy4qgMLPRVSY6pJ5DeQ4XJRu/N2hqCQ8HGnWn3ni4kk2wLVssGX27UiXZKUN/+pyNXL1/ab5QUlPUYvN2aEGQ8bBfPm0I/WuCTVzr9fFDzsD+pk5Es2d4/CjUtnn/i2sv+gW8vle+Rsl8Xb6ztq0k0oFqHqVFSI1s2oBvslHddsOHojRbALSzuZR73kfLllVPeDRALNQ6qxq1bRV6DHwjOnzJI7uai8LQIDABAQ;

named-checkzone domain.tld /var/named/run-root/var/domain.tld
dns_rdata_fromtext: /var/named/run-root/var/domain.tld:26: syntax error
zone domain.tld/IN: loading from master file /var/named/run-root/var/domain.tld failed: syntax error
zone domain.tld/IN: not loaded due to errors.​
ACTUAL RESULT:
Plesk saves successfully, but Bind fails to reload the zone.
Apparently, my Bind does not support 2048 bit keys. Adding a 1024 bit key to the zone was fine.​
EXPECTED RESULT:
Maybe Plesk should run named-checkzone against the updated zone to check if it works fine.
named-checkzone <domain> /var/named/run-root/var/<domain>​
ANY ADDITIONAL INFORMATION:
Bind version 9.10.3.dfsg.P4-8ubuntu1.6
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
@H9k

That's actually an issue with BIND itself where the max number of characters allow for TXT entries is 255 characters. There is a work around that involves manually ending the zone record which is a moot point since Plesk will just overwrite the file when you go to update your DNS anyways.

I've already provided a suggested to the team and @IgorG is going to talk it over with the developers to get it implicated. Basically my suggestion is to have Plesk check the record to see if it's over 255 characters and if so to convert it into a multi-string since applications requesting records from the DNS records needs to see mutli-strings as 1 string (RFC1035, sections 3.3.14 and RFC4408, section 3.1.3).

In other words, something like:

Code: 
IN TXT "v=spf1 ..... first" "second string..."

will be treated as:

Code: 
IN TXT "v=spf1 .... firstsecond string..."

When the applications (such as an email server) will see the completed string.

For now, as a work around and if you have the ability to (which looks like you did already) is to use a 1024 bit key instead of a 2048 bit key. Another work around is to use a third party DNS server that does have support for mutistrings such as using the DNS server provided by your registrar (most registrar supports long strings as as I know, at least Google Domains did).
 
You must log in or register to reply here.

Similar threads

H.W.B
Issue DNSSEC with Ubuntu Problems
Replies
4
Views
2K
H.W.B
H.W.B
tethis IT
Resolved Loads of messages "named[...]: network unreachable resolving '...': 2001:7fe::53#53"
Replies
2
Views
8K
Alban Staehli
A
K
Resolved Plesk does not rebuild dns zones
Replies
1
Views
1K
ksdmg
K
M
Issue Configuring slave dns on external debian box with bind
Replies
2
Views
2K
AYamshanov
AYamshanov
Zalvatore Dela
Issue Outlook and Gmail block my clients emails! DKIM too long
Replies
8
Views
4K
Zalvatore Dela
Zalvatore Dela
Back
Top