mirror/stackexchange-dnscontrol
1
0
Fork 0
mirror of https://github.com/StackExchange/dnscontrol.git synced 2024-05-11 05:55:12 +00:00
Code Issues Releases Activity

NEW FEATURE: IGNORE() (diff2 only) (#2388)

Browse Source 
Co-authored-by: Jeffrey Cafferata <jeffrey@jcid.nl>
This commit is contained in:
Tom Limoncelli
2023-05-24 15:14:36 -04:00
committed by GitHub
parent 64f083af4e
commit 0b7dabacc8
20 changed files with 890 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

173
commands/types/dnscontrol.d.ts vendored
View File

@ -551,6 +551,169 @@ declare function DnsProvider(name: string, nsCount?: number): DomainModifier;
declare function FRAME(name: string, target: string, ...modifiers: RecordModifier[]): DomainModifier;
/**
* `IGNORE()` makes it possible for DNSControl to share management of a domain with an
* external system. The parameters of `IGNORE()` indicate which records are managed
* elsewhere and should not be touched.
*
* Suppose a domain is managed by both DNSControl and a third-party system. This creates
* a problem because DNSControl will try to delete records inserted by the other system. The
* other system may get confused and re-insert those records. The two systems will always
* be modifying the records.
*
* To solve this problem simply include `IGNORE()` statements that identify which records
* are managed elsewhere and should be ignored
*
* Technically `IGNORE_NAME` is a promise that DNSControl will not modify or
* delete existing records that match particular patterns. It is like
* [`NO_PURGE`](../domain/NO_PURGE.md) that matches only specific records.
*
* Including a record that is ignored is considered an error and may have undefined behavior.
*
* ## Syntax
*
* ```
* IGNORE(labelSpec, typeSpec, targetSpec):
* IGNORE(labelSpec, typeSpec):
* IGNORE(labelSpec):
* ```
*
* * `labelSpec` is a glob that matches the DNS label. For example `"foo"` or `"foo*"`. `"*"` matches all labels, as does the empty string (`""`).
* * `typeSpec` is a comma-separated list of DNS types. `"*"` matches all DNS types, as does the empty string (`""`). For example "A" matches DNS A records, "A,CNAME" matches both A and CNAME records.
* * `targetSpec` is a glob that matches the DNS target. For example `"foo"` or `"foo*"`. `"*"` matches all targets, as does the empty string (`""`).
*
* typeSpec and targetSpec default to `"*"` if they are omitted.
*
* ## Globs
*
* The `labelSpec` and `targetSpec` parameters supports glob patterns in the style
* of the [gobwas/glob](https://github.com/gobwas/glob) library. All of the
* following patterns will work:
*
* * `IGNORE("*.foo")` will ignore all records in the style of `bar.foo`, but will not ignore records using a double
* subdomain, such as `foo.bar.foo`.
* * `IGNORE("**.foo")` will ignore all subdomains of `foo`, including double subdomains.
* * `IGNORE("?oo")` will ignore all records of three symbols ending in `oo`, for example `foo` and `zoo`. It will
* not match `.`
* * `IGNORE("[abc]oo")` will ignore records `aoo`, `boo` and `coo`. `IGNORE("[a-c]oo")` is equivalent.
* * `IGNORE("[!abc]oo")` will ignore all three symbol records ending in `oo`, except for `aoo`, `boo`, `coo`. `IGNORE("[!a-c]oo")` is equivalent.
* * `IGNORE("{bar,[fz]oo}")` will ignore `bar`, `foo` and `zoo`.
* * `IGNORE("\\*.foo")` will ignore the literal record `*.foo`.
*
* ## Examples
*
* General examples:
*
* ```javascript
* D("example.com",
* IGNORE("foo"), // matches any records on foo.example.com
* IGNORE("baz", "A"), // matches any A records on label baz.example.com
* IGNORE("*", "MX", "*"), // matches all MX records
* IGNORE("*", "CNAME", "dev-*"), // matches CNAMEs pointing to hosts that start with dev-*
* IGNORE("bar", "A,MX"), // ignore only A and MX records for name bar
* IGNORE("*", "*", "dev-*), // Ignore targets with a `dev-` prefix
* IGNORE("*", "A", "1\.2\.3\."), // Ignore targets that match the 1.2.3.0/24 CIDR block.
* );
* ```
*
* Ignore Let's Encrypt (ACME) validation records:
*
* ```
* IGNORE("_acme-challenge.**", "TXT"),
* ```
*
* Ignore DNS records typically inserted by Microsoft ActiveDirectory:
*
* ```
* IGNORE("_gc.**", "SRV"), // General Catalog
* IGNORE("_kerberos.**", "SRV"), // Kerb5 server
* IGNORE("_kpasswd.**", "SRV"), // Kpassword
* IGNORE("_ldap.**", "SRV"), // LDAP
* IGNORE("_msdcs", "NS"), // Microsoft Domain Controller Service
* IGNORE("_vlmcs.**", "SRV"), // FQDN of the KMS host
* IGNORE("domaindnszones", "A"),
* IGNORE("forestdnszones", "A"),
* ```
*
* ## Don't insert and ignore the same item
*
* It is considered as an error to try to ignore records that
* you yourself are inserting into a domain.
*
* This will generate an error:
*
* ```
* D("example.com", ...
* ...
* TXT("myhost", "mytext"),
* IGNORE("myhost", "*", "*"),
* ...
* ```
*
* To disable this safety check, add the `DISABLE_IGNORE_SAFETY_CHECK` statement to the `D()`.
*
* ```
* D("example.com", ...
* DISABLE_IGNORE_SAFETY_CHECK,
* ...
* TXT("myhost", "mytext"),
* IGNORE("myhost", "*", "*"),
* ...
* ```
*
* FYI: Previously DNSControl permitted disabling this check on
* a per-record basis using `IGNORE_NAME_DISABLE_SAFETY_CHECK`:
*
* ```
* // THIS NO LONGER WORKS! Use DISABLE_IGNORE_SAFETY_CHECK instead.
* TXT("myhost", "mytext", IGNORE_NAME_DISABLE_SAFETY_CHECK),
* ```
*
* The `IGNORE_NAME_DISABLE_SAFETY_CHECK` feature does not exist in the diff2 world and its use will result in a validation error.
*
* # Errors
*
* * `trying to update/add IGNORE_NAME'd record: foo CNAME`
*
* This means you have both ignored `foo` and included a record (in this
* case, a CNAME) to update it. This is an error because `IGNORE_NAME`
* is a promise not to modify records at a certain label so that others
* may have free reign there. Therefore, DNSControl prevents you from
* modifying that label.
*
* The `foo CNAME` at the end of the message indicates the label name
* (`foo`) and the type of record (`CNAME`) that your dnsconfig.js file
* is trying to insert.
*
* You can override this error by adding the
* `IGNORE_NAME_DISABLE_SAFETY_CHECK` flag to the record.
*
* TXT('vpn', "this thing", IGNORE_NAME_DISABLE_SAFETY_CHECK)
*
* Disabling this safety check creates two risks:
*
* 1. Two owners (DNSControl and some other entity) toggling a record between two settings.
* 2. The other owner wiping all records at this label, which won't be noticed until the next time DNSControl is run.
*
* ## Caveats
*
* WARNING: The `IGNORE_*` family of functions is complex and complex things are risky. Test extensively.
*
* * `IGNORE` is not tested with `D_EXTEND()` and may not work.
* * There is no locking. If the external system and DNSControl make updates at the exact same time, the results are undefined.
* * `targetSpec` does not match fields other than the primary target. For example, `MX` records have a target hostname plus a priority. There is no way to match the priority.
* * The BIND provider can not ignore records it doesn't know about. If it does not have access to an existing zonefile, it will create a zonefile from scratch. That new zonefile will not have any external records.
*
* @see https://docs.dnscontrol.org/language-reference/domain-modifiers/ignore
*/
declare const IGNORE: DomainModifier;
/**
* `IGNORE_NAME(a)` is the same as `IGNORE(a, "*", "*")`.
*
* ## Legacy mode ("diff1")
*
* When `--diff2=false` is used to revert to the old "diff1" algorithm, `IGNORE_NAME()` behaves as follows:
*
* WARNING: The `IGNORE_*` family of functions is risky to use. The code
* is brittle and has subtle bugs. Use at your own risk. Do not use these
* commands with `D_EXTEND()`.
@ -632,6 +795,14 @@ declare function FRAME(name: string, target: string, ...modifiers: RecordModifie
declare function IGNORE_NAME(pattern: string, rTypes?: string): DomainModifier;
/**
* `IGNORE_TARGET_NAME(target)` is the same as `IGNORE("*", "*", target)`.
*
* `IGNORE_TARGET_NAME(target, rtype)` is the same as `IGNORE("*", rtype, target)`.
*
* ## Legacy mode ("diff1")
*
* When `--diff2=false` is used to revert to the old "diff1" algorithm, `IGNORE_NAME()` behaves as follows:
*
* WARNING: The `IGNORE_*` family of functions is risky to use. The code
* is brittle and has subtle bugs. Use at your own risk. Do not use these
* commands with `D_EXTEND()` or use it at the domain apex.
@ -2462,7 +2633,7 @@ declare function M365_BUILDER(opts: { label?: string; mx?: boolean; autodiscover
*
* When used with [`D()`](../global/D.md), it sets the zone id of the domain. This can be used to differentiate between split horizon domains in public and private zones. See this [example](../../providers/route53.md#split-horizon) in the [Amazon Route 53 provider page](../../providers/route53.md).
*
* When used with [`R53_ALIAS()`](../domain/R53_ALIAS.md) it sets the required Route53 hosted zone id in a R53_ALIAS record. See [R53_ALIAS's documentation](../domain/R53_ALIAS.md) for details.
* When used with [`R53_ALIAS()`](../domain/R53_ALIAS.md) it sets the required Route53 hosted zone id in a R53_ALIAS record. See [`R53_ALIAS()`](../domain/R53_ALIAS.md) documentation for details.
*
* @see https://docs.dnscontrol.org/language-reference/record-modifiers/service-provider-specific/amazon-route-53/r53_zone
*/

3
documentation/SUMMARY.md
View File

@ -35,9 +35,10 @@
* [AUTODNSSEC_ON](functions/domain/AUTODNSSEC_ON.md)
* [CAA](functions/domain/CAA.md)
* [CNAME](functions/domain/CNAME.md)
* [DS](functions/domain/DS.md)
* [DefaultTTL](functions/domain/DefaultTTL.md)
* [DISABLE_IGNORE_SAFETY_CHECK](functions/domain/DISABLE_IGNORE_SAFETY_CHECK.md)
* [DnsProvider](functions/domain/DnsProvider.md)
* [DS](functions/domain/DS.md)
* [FRAME](functions/domain/FRAME.md)
* [IGNORE](functions/domain/IGNORE.md)
* [IGNORE_NAME](functions/domain/IGNORE_NAME.md)

23
documentation/functions/domain/DISABLE_IGNORE_SAFETY_CHECK.md Normal file
View File

@ -0,0 +1,23 @@
---
name: DISABLE_IGNORE_SAFETY_CHECK
---
`DISABLE_IGNORE_SAFETY_CHECK()` disables the safety check. Normally it is an
error to insert records that match an `IGNORE()` pattern. This disables that
safety check for the entire domain.
It replaces the per-record `IGNORE_NAME_DISABLE_SAFETY_CHECK()` which is
deprecated as of DNSControl v4.0.0.0.
See [`IGNORE()`](../domain/IGNORE.md) for more information.
## Syntax
```
D("example.com", ...
DISABLE_IGNORE_SAFETY_CHECK,
...
TXT("myhost", "mytext"),
IGNORE("myhost", "*", "*"),
...
```

302
documentation/functions/domain/IGNORE.md
View File

@ -1,8 +1,304 @@
---
name: IGNORE
ts_ignore: true
---
{% hint style="warning" %}
**WARNING**: IGNORE has been renamed to `IGNORE_NAME`. IGNORE will continue to function, but its use is deprecated. Please update your configuration files to use `IGNORE_NAME`.
`IGNORE()` makes it possible for DNSControl to share management of a domain
with an external system. The parameters of `IGNORE()` indicate which records
are managed elsewhere and should not be modified or deleted.
Use case: Suppose a domain is managed by both DNSControl and a third-party
system. This creates a problem because DNSControl will try to delete records
inserted by the other system. The other system may get confused and re-insert
those records. The two systems will get into an endless update cycle where
each will revert changes made by the other in an endless loop.
To solve this problem simply include `IGNORE()` statements that identify which
records are managed elsewhere. DNSControl will not modify or delete those
records.
Technically `IGNORE_NAME` is a promise that DNSControl will not modify or
delete existing records that match particular patterns. It is like
[`NO_PURGE`](../domain/NO_PURGE.md) that matches only specific records.
Including a record that is ignored is considered an error and may have
undefined behavior. This safety check can be disabled using the
[`DISABLE_IGNORE_SAFETY_CHECK`](../domain/DISABLE_IGNORE_SAFETY_CHECK.md) feature.
## Syntax
The `IGNORE()` function can be used with up to 3 parameters:
{% code %}
```javascript
IGNORE(labelSpec, typeSpec, targetSpec):
IGNORE(labelSpec, typeSpec):
IGNORE(labelSpec):
```
{% endcode %}
* `labelSpec` is a glob that matches the DNS label. For example `"foo"` or `"foo*"`. `"*"` matches all labels, as does the empty string (`""`).
* `typeSpec` is a comma-separated list of DNS types. For example `"A"` matches DNS A records, `"A,CNAME"` matches both A and CNAME records. `"*"` matches any DNS type, as does the empty string (`""`).
* `targetSpec` is a glob that matches the DNS target. For example `"foo"` or `"foo*"`. `"*"` matches all targets, as does the empty string (`""`).
`typeSpec` and `targetSpec` default to `"*"` if they are omitted.
## Globs
The `labelSpec` and `targetSpec` parameters supports glob patterns in the style
of the [gobwas/glob](https://github.com/gobwas/glob) library. All of the
following patterns will work:
* `IGNORE("*.foo")` will ignore all records in the style of `bar.foo`, but will not ignore records using a double subdomain, such as `foo.bar.foo`.
* `IGNORE("**.foo")` will ignore all subdomains of `foo`, including double subdomains.
* `IGNORE("?oo")` will ignore all records of three symbols ending in `oo`, for example `foo` and `zoo`. It will not match `.`
* `IGNORE("[abc]oo")` will ignore records `aoo`, `boo` and `coo`. `IGNORE("[a-c]oo")` is equivalent.
* `IGNORE("[!abc]oo")` will ignore all three symbol records ending in `oo`, except for `aoo`, `boo`, `coo`. `IGNORE("[!a-c]oo")` is equivalent.
* `IGNORE("{bar,[fz]oo}")` will ignore `bar`, `foo` and `zoo`.
* `IGNORE("\\*.foo")` will ignore the literal record `*.foo`.
## Typical Usage
General examples:
{% code title="dnsconfig.js" %}
```javascript
D("example.com", ...
IGNORE("foo"), // matches any records on foo.example.com
IGNORE("baz", "A"), // matches any A records on label baz.example.com
IGNORE("*", "MX", "*"), // matches all MX records
IGNORE("*", "CNAME", "dev-*"), // matches CNAMEs with targets prefixed `dev-*`
IGNORE("bar", "A,MX"), // ignore only A and MX records for name bar
IGNORE("*", "*", "dev-*"), // Ignore targets with a `dev-` prefix
IGNORE("*", "A", "1\.2\.3\."), // Ignore targets in the 1.2.3.0/24 CIDR block
END);
```
{% endcode %}
Ignore Let's Encrypt (ACME) validation records:
{% code title="dnsconfig.js" %}
```javascript
D("example.com", ...
IGNORE("_acme-challenge", "TXT"),
IGNORE("_acme-challenge.**", "TXT"),
END);
```
{% endcode %}
Ignore DNS records typically inserted by Microsoft ActiveDirectory:
{% code title="dnsconfig.js" %}
```javascript
D("example.com", ...
IGNORE("_gc", "SRV"), // General Catalog
IGNORE("_gc.**", "SRV"), // General Catalog
IGNORE("_kerberos", "SRV"), // Kerb5 server
IGNORE("_kerberos.**", "SRV"), // Kerb5 server
IGNORE("_kpasswd", "SRV"), // Kpassword
IGNORE("_kpasswd.**", "SRV"), // Kpassword
IGNORE("_ldap", "SRV"), // LDAP
IGNORE("_ldap.**", "SRV"), // LDAP
IGNORE("_msdcs", "NS"), // Microsoft Domain Controller Service
IGNORE("_msdcs.**", "NS"), // Microsoft Domain Controller Service
IGNORE("_vlmcs", "SRV"), // FQDN of the KMS host
IGNORE("_vlmcs.**", "SRV"), // FQDN of the KMS host
IGNORE("domaindnszones", "A"),
IGNORE("domaindnszones.**", "A"),
IGNORE("forestdnszones", "A"),
IGNORE("forestdnszones.**", "A"),
END);
```
{% endcode %}
## Detailed examples
Here are some examples that illustrate how matching works.
All the examples assume the following DNS records are the "existing" records
that a third-party is maintaining. (Don't be confused by the fact that we're
using DNSControl notation for the records. Pretend some other system inserted them.)
{% code title="dnsconfig.js" %}
```javascript
D("example.com", ...
A("@", "151.101.1.69"),
A("www", "151.101.1.69"),
A("foo", "1.1.1.1"),
A("bar", "2.2.2.2"),
CNAME("cshort", "www"),
CNAME("cfull", "www.plts.org."),
CNAME("cfull2", "www.bar.plts.org."),
CNAME("cfull3", "bar.www.plts.org."),
END);
D_EXTEND("more.example.com",
A("foo", "1.1.1.1"),
A("bar", "2.2.2.2"),
CNAME("mshort", "www"),
CNAME("mfull", "www.plts.org."),
CNAME("mfull2", "www.bar.plts.org."),
CNAME("mfull3", "bar.www.plts.org."),
END);
```
{% endcode %}
{% code %}
```javascript
IGNORE("@", "", ""),
// Would match:
// foo.example.com. A 1.1.1.1
// foo.more.example.com. A 1.1.1.1
```
{% endcode %}
{% code %}
```javascript
IGNORE("example.com.", "", ""),
// Would match:
// nothing
```
{% endcode %}
{% code %}
```javascript
IGNORE("foo", "", ""),
// Would match:
// foo.example.com. A 1.1.1.1
```
{% endcode %}
{% code %}
```javascript
IGNORE("foo.**", "", ""),
// Would match:
// foo.more.example.com. A 1.1.1.1
```
{% endcode %}
{% code %}
```javascript
IGNORE("www", "", ""),
// Would match:
// www.example.com. A 174.136.107.196
```
{% endcode %}
{% code %}
```javascript
IGNORE("www.*", "", ""),
// Would match:
// nothing
```
{% endcode %}
{% code %}
```javascript
IGNORE("www.example.com", "", ""),
// Would match:
// nothing
```
{% endcode %}
{% code %}
```javascript
IGNORE("www.example.com.", "", ""),
// Would match:
// none
```
{% endcode %}
{% code %}
```javascript
//IGNORE("", "", "1.1.1.*"),
// Would match:
// foo.example.com. A 1.1.1.1
// foo.more.example.com. A 1.1.1.1
```
{% endcode %}
{% code %}
```javascript
//IGNORE("", "", "www"),
// Would match:
// none
```
{% endcode %}
{% code %}
```javascript
IGNORE("", "", "*bar*"),
// Would match:
// cfull2.example.com. CNAME www.bar.plts.org.
// cfull3.example.com. CNAME bar.www.plts.org.
// mfull2.more.example.com. CNAME www.bar.plts.org.
// mfull3.more.example.com. CNAME bar.www.plts.org.
```
{% endcode %}
{% code %}
```javascript
IGNORE("", "", "bar.**"),
// Would match:
// cfull3.example.com. CNAME bar.www.plts.org.
// mfull3.more.example.com. CNAME bar.www.plts.org.
```
{% endcode %}
## Conflict handling
It is considered as an error for a `dnsconfig.js` to both ignore and insert the
same record in a domain. This is done as a safety mechanism.
This will generate an error:
{% code title="dnsconfig.js" %}
```javascript
D("example.com", ...
...
TXT("myhost", "mytext"),
IGNORE("myhost", "*", "*"), // Error! Ignoring an item we inserted
...
```
{% endcode %}
To disable this safety check, add the `DISABLE_IGNORE_SAFETY_CHECK` statement
to the `D()`.
{% code title="dnsconfig.js" %}
```javascript
D("example.com", ...
DISABLE_IGNORE_SAFETY_CHECK,
...
TXT("myhost", "mytext"),
IGNORE("myhost", "*", "*"),
...
```
{% endcode %}
{% hint style="info" %}
FYI: Previously DNSControl permitted disabling this check on
a per-record basis using `IGNORE_NAME_DISABLE_SAFETY_CHECK`:
{% endhint %}
The `IGNORE_NAME_DISABLE_SAFETY_CHECK` feature does not exist in the diff2
world and its use will result in a validation error. Use the above example
instead.
{% code %}
```javascript
// THIS NO LONGER WORKS! Use DISABLE_IGNORE_SAFETY_CHECK instead. See above.
TXT("myhost", "mytext", IGNORE_NAME_DISABLE_SAFETY_CHECK),
```
{% endcode %}
## Caveats
{% hint style="warning" %}
**WARNING**: Two systems updating the same domain is complex. Complex things are risky. Use `IGNORE()`
as a last resort. Even then, test extensively.
{% endhint %}
* There is no locking. If the external system and DNSControl make updates at the exact same time, the results are undefined.
* IGNORE` works fine with records inserted into a `D()` via `D_EXTEND()`. The matching is done on the resulting FQDN of the label or target.
* `targetSpec` does not match fields other than the primary target. For example, `MX` records have a target hostname plus a priority. There is no way to match the priority.
* The BIND provider can not ignore records it doesn't know about. If it does not have access to an existing zonefile, it will create a zonefile from scratch. That new zonefile will not have any external records. It will seem like they were not ignored, but in reality BIND didn't have visibility to them so that they could be ignored.

6
documentation/functions/domain/IGNORE_NAME.md
View File

@ -8,6 +8,12 @@ parameter_types:
rTypes: string?
---
`IGNORE_NAME(a)` is the same as `IGNORE(a, "*", "*")`.
## Legacy mode ("diff1")
When `--diff2=false` is used to revert to the old "diff1" algorithm, `IGNORE_NAME()` behaves as follows:
{% hint style="warning" %}
**WARNING**: The `IGNORE_*` family of functions is risky to use. The code
is brittle and has subtle bugs. Use at your own risk. Do not use these

8
documentation/functions/domain/IGNORE_TARGET.md
View File

@ -8,6 +8,14 @@ parameter_types:
rType: string
---
`IGNORE_TARGET_NAME(target)` is the same as `IGNORE("*", "*", target)`.
`IGNORE_TARGET_NAME(target, rtype)` is the same as `IGNORE("*", rtype, target)`.
## Legacy mode ("diff1")
When `--diff2=false` is used to revert to the old "diff1" algorithm, `IGNORE_NAME()` behaves as follows:
{% hint style="warning" %}
**WARNING**: The `IGNORE_*` family of functions is risky to use. The code
is brittle and has subtle bugs. Use at your own risk. Do not use these

57
documentation/functions/domain/NO_PURGE.md
View File

@ -2,18 +2,28 @@
name: NO_PURGE
---
`NO_PURGE` indicates that records should not be deleted from a domain.
`NO_PURGE` indicates that existing records should not be deleted from a domain.
Records will be added and updated, but not removed.
`NO_PURGE` is generally used in very specific situations:
Suppose a domain is managed by both DNSControl and a third-party system. This
creates a problem because DNSControl will try to delete records inserted by the
other system.
* A domain is managed by some other system and DNSControl is only used to insert a few specific records and/or keep them updated. For example a DNS Zone that is managed by Active Directory, but DNSControl is used to update a few, specific, DNS records. In this case we want to specify the DNS records we are concerned with but not delete all the other records. This is a risky use of `NO_PURGE` since, if `NO_PURGE` was removed (or buggy) there is a chance you could delete all the other records in the zone, which could be a disaster. That said, domains with some records updated using Dynamic DNS have no other choice.
* To work-around a pseudo record type that is not supported by DNSControl. For example some providers have a fake DNS record type called "URL" which creates a redirect. DNSControl normally deletes these records because it doesn't understand them. `NO_PURGE` will leave those records alone.
By setting `NO_PURGE` on a domain, this tells DNSControl not to delete the
records found in the domain.
In this example DNSControl will insert "foo.example.com" into the
zone, but otherwise leave the zone alone. Changes to "foo"'s IP
address will update the record. Removing the A("foo", ...) record
from DNSControl will leave the record in place.
It is similar to [`IGNORE`](domain/IGNORE.md) but more general.
The original reason for `NO_PURGE` was that a legacy system was adopting
DNSControl. Previously the domain was managed via Microsoft DNS Server's GUI.
ActiveDirectory was in use, so various records were being inserted behind the
scenes. It was decided to use DNSControl to simply insert a few records. The
`NO_PURGE` setting instructed DNSControl not to delete the existing records.
In this example DNSControl will insert "foo.example.com" into the zone, but
otherwise leave the zone alone. Changes to "foo"'s IP address will update the
record. Removing the A("foo", ...) record from DNSControl will leave the record
in place.
{% code title="dnsconfig.js" %}
```javascript
@ -23,19 +33,22 @@ D("example.com", .... , NO_PURGE,
```
{% endcode %}
The main caveat of `NO_PURGE` is that intentionally deleting records
becomes more difficult. Suppose a `NO_PURGE` zone has an record such
as A("ken", "1.2.3.4"). Removing the record from dnsconfig.js will
not delete "ken" from the domain. DNSControl has no way of knowing
the record was deleted from the file The DNS record must be removed
manually. Users of `NO_PURGE` are prone to finding themselves with
an accumulation of orphaned DNS records. That's easy to fix for a
small zone but can be a big mess for large zones.
The main caveat of `NO_PURGE` is that intentionally deleting records becomes
more difficult. Suppose a `NO_PURGE` zone has an record such as A("ken",
"1.2.3.4"). Removing the record from dnsconfig.js will not delete "ken" from
the domain. DNSControl has no way of knowing the record was deleted from the
file The DNS record must be removed manually. Users of `NO_PURGE` are prone
to finding themselves with an accumulation of orphaned DNS records. That's easy
to fix for a small zone but can be a big mess for large zones.
Not all providers support `NO_PURGE`. For example the BIND provider
rewrites zone files from scratch each time, which precludes supporting
`NO_PURGE`. DNSControl will exit with an error if `NO_PURGE` is used
on a driver that does not support it.
## Support
There is also [`PURGE`](PURGE.md) command for completeness. [`PURGE`](PURGE.md) is the
default, thus this command is a no-op.
Prior to DNSControl v4.0.0, not all providers supported `NO_PURGE`.
With introduction of `diff2` algorithm (enabled by default in v4.0.0),
`NO_PURGE` works with all providers.
## See also
* [`PURGE`](domain/PURGE.md) is the default, thus this command is a no-op
* [`IGNORE`](domain/IGNORE.md) is similar to `NO_PURGE` but is more selective

140
integrationTest/integration_test.go
View File

@ -214,6 +214,7 @@ func makeChanges(t *testing.T, prv providers.DNSServiceProvider, dc *models.Doma
dom.IgnoredNames = tst.IgnoredNames
dom.IgnoredTargets = tst.IgnoredTargets
dom.Unmanaged = tst.Unmanaged
dom.UnmanagedUnsafe = tst.UnmanagedUnsafe
models.PostProcessRecords(dom.Records)
dom2, _ := dom.Copy()
@ -433,18 +434,27 @@ type TestGroup struct {
}
type TestCase struct {
Desc string
Records []*models.RecordConfig
IgnoredNames []*models.IgnoreName
IgnoredTargets []*models.IgnoreTarget
Unmanaged []*models.UnmanagedConfig
Changeless bool // set to true if any changes would be an error
Desc string
Records []*models.RecordConfig
IgnoredNames []*models.IgnoreName
IgnoredTargets []*models.IgnoreTarget
Unmanaged []*models.UnmanagedConfig
UnmanagedUnsafe bool // DISABLE_IGNORE_SAFETY_CHECK
Changeless bool // set to true if any changes would be an error
}
// ExpectNoChanges indicates that no changes is not an error, it is a requirement.
func (tc *TestCase) ExpectNoChanges() *TestCase {
tc.Changeless = true
return tc
}
// UnsafeIgnore is the equivalent of DISABLE_IGNORE_SAFETY_CHECK
func (tc *TestCase) UnsafeIgnore() *TestCase {
tc.UnmanagedUnsafe = true
return tc
}
func (tg *TestGroup) Diff2Only() *TestGroup {
tg.diff2only = true
return tg
@ -519,20 +529,43 @@ func ds(name string, keyTag uint16, algorithm, digestType uint8, digest string)
return r
}
func ignoreName(name string) *models.RecordConfig {
func ignoreName(labelSpec string) *models.RecordConfig {
r := &models.RecordConfig{
Type: "IGNORE_NAME",
Type: "IGNORE_NAME",
Metadata: map[string]string{},
}
SetLabel(r, name, "**current-domain**")
// diff1
SetLabel(r, labelSpec, "**current-domain**")
// diff2
r.Metadata["ignore_LabelPattern"] = labelSpec
return r
}
func ignoreTarget(name string, typ string) *models.RecordConfig {
func ignoreTarget(targetSpec string, typeSpec string) *models.RecordConfig {
r := &models.RecordConfig{
Type: "IGNORE_TARGET",
Type: "IGNORE_TARGET",
Metadata: map[string]string{},
}
r.SetTarget(typ)
SetLabel(r, name, "**current-domain**")
// diff1
r.SetTarget(typeSpec)
SetLabel(r, targetSpec, "**current-domain**")
// diff2
r.Metadata["ignore_RTypePattern"] = typeSpec
r.Metadata["ignore_TargetPattern"] = typeSpec
return r
}
func ignore(labelSpec string, typeSpec string, targetSpec string) *models.RecordConfig {
r := &models.RecordConfig{
Type: "IGNORE",
Metadata: map[string]string{},
}
if r.Metadata == nil {
r.Metadata = map[string]string{}
}
r.Metadata["ignore_LabelPattern"] = labelSpec
r.Metadata["ignore_RTypePattern"] = typeSpec
r.Metadata["ignore_TargetPattern"] = targetSpec
return r
}
@ -651,6 +684,19 @@ func tc(desc string, recs ...*models.RecordConfig) *TestCase {
var unmanagedItems []*models.UnmanagedConfig
for _, r := range recs {
switch r.Type {
case "IGNORE":
// diff1:
ignoredNames = append(ignoredNames, &models.IgnoreName{
Pattern: r.Metadata["ignore_LabelPattern"],
Types: r.Metadata["ignore_RTypePattern"],
})
// diff2:
unmanagedItems = append(unmanagedItems, &models.UnmanagedConfig{
LabelPattern: r.Metadata["ignore_LabelPattern"],
RTypePattern: r.Metadata["ignore_RTypePattern"],
TargetPattern: r.Metadata["ignore_TargetPattern"],
})
continue
case "IGNORE_NAME":
ignoredNames = append(ignoredNames, &models.IgnoreName{Pattern: r.GetLabel(), Types: r.GetTargetField()})
unmanagedItems = append(unmanagedItems, &models.UnmanagedConfig{
@ -667,7 +713,6 @@ func tc(desc string, recs ...*models.RecordConfig) *TestCase {
RTypePattern: r.GetTargetField(),
TargetPattern: r.GetLabel(),
})
continue
default:
records = append(records, r)
}
@ -1744,8 +1789,53 @@ func makeTests(t *testing.T) []*TestGroup {
// should work for all providers. However we're going to test
// them anyway because one never knows. Ready? Let's go!
// TODO(tlim): Rewrite these to be more like the ByLabel and
// ByResourceSet tests.
testgroup("IGNORE main",
tc("Create some records",
txt("foo", "simple"),
a("foo", "1.2.3.4"),
a("bar", "5.5.5.5"),
),
tc("ignore label=foo",
a("bar", "5.5.5.5"),
ignore("foo", "", ""),
).ExpectNoChanges(),
tc("ignore type=txt",
a("foo", "1.2.3.4"),
a("bar", "5.5.5.5"),
ignore("", "TXT", ""),
).ExpectNoChanges(),
tc("ignore target=1.2.3.4",
txt("foo", "simple"),
a("bar", "5.5.5.5"),
ignore("", "", "1.2.3.4"),
).ExpectNoChanges(),
tc("ignore manytypes",
ignore("", "A,TXT", ""),
).ExpectNoChanges(),
).Diff2Only(),
testgroup("IGNORE apex",
tc("Create some records",
txt("@", "simple"),
a("@", "1.2.3.4"),
).UnsafeIgnore(),
tc("ignore label=apex",
ignore("@", "", ""),
).ExpectNoChanges().UnsafeIgnore(),
tc("ignore type=txt",
a("@", "1.2.3.4"),
ignore("", "TXT", ""),
).ExpectNoChanges().UnsafeIgnore(),
tc("ignore target=1.2.3.4",
txt("@", "simple"),
ignore("", "", "1.2.3.4"),
).ExpectNoChanges().UnsafeIgnore(),
tc("ignore manytypes",
ignore("", "A,TXT", ""),
).ExpectNoChanges().UnsafeIgnore(),
).Diff2Only(),
// Legacy IGNORE_NAME and IGNORE_TARGET tests.
testgroup("IGNORE_NAME function",
tc("Create some records",
@ -1784,19 +1874,19 @@ func makeTests(t *testing.T) []*TestGroup {
a("@", "1.2.3.4"),
txt("bar", "stringbar"),
a("bar", "2.4.6.8"),
),
).UnsafeIgnore(),
tc("ignore apex",
ignoreName("@"),
txt("bar", "stringbar"),
a("bar", "2.4.6.8"),
).ExpectNoChanges(),
).ExpectNoChanges().UnsafeIgnore(),
clear(),
tc("Add a new record - ignoring apex",
ignoreName("@"),
txt("bar", "stringbar"),
a("bar", "2.4.6.8"),
a("added", "4.6.8.9"),
),
).UnsafeIgnore(),
).Diff2Only(),
testgroup("IGNORE_TARGET function CNAME",
@ -1821,19 +1911,19 @@ func makeTests(t *testing.T) []*TestGroup {
cname("foo1", "test.foo.com."),
cname("foo2", "my.test.foo.com."),
cname("bar", "test.example.com."),
),
).UnsafeIgnore(),
tc("ignoring CNAME=test.foo.com.",
ignoreTarget("*.foo.com.", "CNAME"),
cname("foo2", "my.test.foo.com."),
cname("bar", "test.example.com."),
).ExpectNoChanges(),
).ExpectNoChanges().UnsafeIgnore(),
tc("ignoring CNAME=test.foo.com. and add",
ignoreTarget("*.foo.com.", "CNAME"),
cname("foo2", "my.test.foo.com."),
cname("bar", "test.example.com."),
a("adding", "1.2.3.4"),
cname("another", "www.example.com."),
),
).UnsafeIgnore(),
),
testgroup("IGNORE_TARGET function CNAME**",
@ -1841,17 +1931,17 @@ func makeTests(t *testing.T) []*TestGroup {
cname("foo1", "test.foo.com."),
cname("foo2", "my.test.foo.com."),
cname("bar", "test.example.com."),
),
).UnsafeIgnore(),
tc("ignoring CNAME=test.foo.com.",
ignoreTarget("**.foo.com.", "CNAME"),
cname("bar", "test.example.com."),
).ExpectNoChanges(),
).ExpectNoChanges().UnsafeIgnore(),
tc("ignoring CNAME=test.foo.com. and add",
ignoreTarget("**.foo.com.", "CNAME"),
cname("bar", "test.example.com."),
a("adding", "1.2.3.4"),
cname("another", "www.example.com."),
),
).UnsafeIgnore(),
),
// https://github.com/StackExchange/dnscontrol/issues/2285

4
models/domain.go
View File

@ -32,8 +32,8 @@ type DomainConfig struct {
IgnoredNames []*IgnoreName `json:"ignored_names,omitempty"`
IgnoredTargets []*IgnoreTarget `json:"ignored_targets,omitempty"`
Unmanaged []*UnmanagedConfig `json:"unmanaged,omitempty"` // UNMANAGED()
UnmanagedUnsafe bool `json:"unmanaged_disable_safety_check,omitempty"` // DISABLE_UNMANAGED_SAFETY_CHECK
Unmanaged []*UnmanagedConfig `json:"unmanaged,omitempty"` // IGNORE()
UnmanagedUnsafe bool `json:"unmanaged_disable_safety_check,omitempty"` // DISABLE_IGNORE_SAFETY_CHECK
AutoDNSSEC string `json:"auto_dnssec,omitempty"` // "", "on", "off"
//DNSSEC bool `json:"dnssec,omitempty"`

34
models/unmanaged.go
View File

@ -1,10 +1,19 @@
package models
import (
"bytes"
"fmt"
"github.com/gobwas/glob"
)
// UnmanagedConfig describes an UNMANAGED() rule.
// UnmanagedConfig describes an IGNORE() rule.
// NB(tlim): This is called "Unmanaged" because the original design
// was to call this function UNMANAGED(). However we then realized
// that we could repurpose IGNORE() without any compatibility issues.
// NB(tlim): TechDebt: UnmanagedConfig and DebugUnmanagedConfig should
// be moved to pkg/diff2/handsoff.go and the following fields could be
// unexported: LabelGlob, RTypeMap, and TargetGlob
type UnmanagedConfig struct {
// Glob pattern for matching labels.
LabelPattern string `json:"label_pattern,omitempty"`
@ -18,3 +27,26 @@ type UnmanagedConfig struct {
TargetPattern string `json:"target_pattern,omitempty"`
TargetGlob glob.Glob `json:"-"` // Compiled version
}
// DebugUnmanagedConfig returns a string version of an []*UnmanagedConfig for debugging purposes.
func DebugUnmanagedConfig(uc []*UnmanagedConfig) string {
if len(uc) == 0 {
return "UnmanagedConfig{}"
}
var buf bytes.Buffer
b := &buf
fmt.Fprint(b, "UnmanagedConfig{\n")
for i, c := range uc {
fmt.Fprintf(b, "%00d: (%v, %+v, %v)\n",
i,
c.LabelGlob,
c.RTypeMap,
c.TargetGlob,
)
}
fmt.Fprint(b, "}")
return b.String()
}

2
pkg/diff2/diff2.go
View File

@ -201,7 +201,7 @@ func ByZone(existing models.Records, dc *models.DomainConfig, compFunc Comparabl
// byHelper does 90% of the work for the By*() calls.
func byHelper(fn func(cc *CompareConfig) ChangeList, existing models.Records, dc *models.DomainConfig, compFunc ComparableFunc) (ChangeList, error) {
// Process NO_PURGE/ENSURE_ABSENT and UNMANAGED/IGNORE_*.
// Process NO_PURGE/ENSURE_ABSENT and IGNORE*().
desired, msgs, err := handsoff(
dc.Name,
existing, dc.Records, dc.EnsureAbsent,

37
pkg/diff2/handsoff.go
View File

@ -2,7 +2,7 @@ package diff2
// This file implements the features that tell DNSControl "hands off"
// foreign-controlled (or shared-control) DNS records. i.e. the
// NO_PURGE, ENSURE_ABSENT, IGNORE_*, and UNMANAGED features.
// NO_PURGE, ENSURE_ABSENT and IGNORE*() features.
import (
"fmt"
@ -15,7 +15,7 @@ import (
/*
# How do NO_PURGE, IGNORE_*, ENSURE_ABSENT and friends work?
# How do NO_PURGE, IGNORE*() and ENSURE_ABSENT work?
## Terminology:
@ -33,19 +33,19 @@ and 1 way to make exceptions.
* Existing records (matched on label:rtype) will be modified.
* FYI: This means you can't have a label with two A records, one controlled
by DNSControl and one controlled by an external system.
* UNMANAGED(labelglob, typelist, targetglob):
* IGNORE(labelglob, typelist, targetglob):
* "If an existing record matches this pattern, don't touch it!""
* IGNORE_NAME(foo, bar) is the same as UNMANAGED(foo, bar, "*")
* IGNORE_TARGET(foo) is the same as UNMANAGED("*", "*", foo)
* IGNORE_NAME(foo, bar) is the same as IGNORE(foo, bar, "*")
* IGNORE_TARGET(foo) is the same as IGNORE("*", "*", foo)
* FYI: You CAN have a label with two A records, one controlled by
DNSControl and one controlled by an external system. DNSControl would
need to have an UNMANAGED() statement with a targetglob that matches
need to have an IGNORE() statement with a targetglob that matches
the external system's target values.
* ENSURE_ABSENT: Override NO_PURGE for specific records. i.e. delete them even
though NO_PURGE is enabled.
* If any of these records are in desired (matched on
label:rtype:target), remove them. This takes priority over
NO_PURGE/UNMANAGED/IGNORE*.
NO_PURGE/IGNORE*().
## Implementation premise
@ -66,12 +66,12 @@ RecordSet at once, you shouldn't NOT update the record.
Here is how we intend to implement these features:
UNMANAGED is implemented as:
* Take the list of existing records. If any match one of the UNMANAGED glob
IGNORE() is implemented as:
* Take the list of existing records. If any match one of the IGNORE glob
patterns, add it to the "ignored list".
* If any item on the "ignored list" is also in "desired" (match on
label:rtype), output a warning (defeault) or declare an error (if
DISABLE_UNMANAGED_SAFETY_CHECK is true).
DISABLE_IGNORE_SAFETY_CHECK is true).
* When we're done, add the "ignore list" records to desired.
NO_PURGE + ENSURE_ABSENT is implemented as:
@ -84,7 +84,7 @@ The actual implementation combines this all into one loop:
foreach rec in existing:
if rec matches_any_unmanaged_pattern:
if rec in desired:
if "DISABLE_UNMANAGED_SAFETY_CHECK" is false:
if "DISABLE_IGNORE_SAFETY_CHECK" is false:
Display a warning.
else
Return an error.
@ -100,7 +100,7 @@ The actual implementation combines this all into one loop:
const maxReport = 5
// handsoff processes the IGNORE_*/UNMANAGED/NO_PURGE/ENSURE_ABSENT features.
// handsoff processes the IGNORE*()//NO_PURGE/ENSURE_ABSENT features.
func handsoff(
domain string,
existing, desired, absences models.Records,
@ -116,7 +116,7 @@ func handsoff(
return nil, nil, err
}
// Process UNMANAGE/IGNORE_* and NO_PURGE features:
// Process IGNORE*() and NO_PURGE features:
ignorable, foreign := processIgnoreAndNoPurge(domain, existing, desired, absences, unmanagedConfigs, noPurge)
if len(foreign) != 0 {
msgs = append(msgs, fmt.Sprintf("%d records not being deleted because of NO_PURGE:", len(foreign)))
@ -134,9 +134,9 @@ func handsoff(
for _, r := range conflicts {
msgs = append(msgs, fmt.Sprintf(" %s %s %s", r.GetLabelFQDN(), r.Type, r.GetTargetCombined()))
}
if unmanagedSafely {
if !unmanagedSafely {
return nil, nil, fmt.Errorf(strings.Join(msgs, "\n") +
"ERROR: Unsafe to continue. Add DISABLE_UNMANAGED_SAFETY_CHECK to D() to override")
"\nERROR: Unsafe to continue. Add DISABLE_IGNORE_SAFETY_CHECK to D() to override")
}
}
@ -166,14 +166,16 @@ func reportSkips(recs models.Records, full bool) []string {
return msgs
}
// processIgnoreAndNoPurge processes the IGNORE_*()/UNMANAGED() and NO_PURGE/ENSURE_ABSENT_REC() features.
// processIgnoreAndNoPurge processes the IGNORE_*() and NO_PURGE/ENSURE_ABSENT() features.
func processIgnoreAndNoPurge(domain string, existing, desired, absences models.Records, unmanagedConfigs []*models.UnmanagedConfig, noPurge bool) (models.Records, models.Records) {
var ignorable, foreign models.Records
desiredDB := models.NewRecordDBFromRecords(desired, domain)
absentDB := models.NewRecordDBFromRecords(absences, domain)
compileUnmanagedConfigs(unmanagedConfigs)
for _, rec := range existing {
if matchAny(unmanagedConfigs, rec) {
isMatch := matchAny(unmanagedConfigs, rec)
//fmt.Printf("DEBUG: matchAny returned: %v\n", isMatch)
if isMatch {
ignorable = append(ignorable, rec)
} else {
if noPurge {
@ -240,6 +242,7 @@ func compileUnmanagedConfigs(configs []*models.UnmanagedConfig) error {
// matchAny returns true if rec matches any of the uconfigs.
func matchAny(uconfigs []*models.UnmanagedConfig, rec *models.RecordConfig) bool {
//fmt.Printf("DEBUG: matchAny(%s, %q, %q, %q)\n", models.DebugUnmanagedConfig(uconfigs), rec.NameFQDN, rec.Type, rec.GetTargetField())
for _, uc := range uconfigs {
if matchLabel(uc.LabelGlob, rec.GetLabel()) &&
matchType(uc.RTypeMap, rec.Type) &&

86
pkg/js/helpers.js
View File

@ -809,10 +809,56 @@ function format_tt(transform_table) {
return lines.join(' ; ');
}
// IGNORE(name)
function IGNORE(name) {
// deprecated, use IGNORE_NAME
return IGNORE_NAME(name);
//function UNMANAGED(label_pattern, rType_pattern, target_pattern) {
// return function (d) {
// d.unmanaged.push({
// label_pattern: label_pattern,
// rType_pattern: rType_pattern,
// target_pattern: target_pattern,
// });
// };
//}
function DISABLE_IGNORE_SAFETY_CHECK(d) {
// This disables a safety check intended to prevent DNSControl and
// another system getting into a battle as they both try to update
// the same record over and over, back and forth. However, people
// kept asking for it so... caveat emptor!
// It only affects the current domain.
d.unmanaged_disable_safety_check = true;
}
var IGNORE_NAME_DISABLE_SAFETY_CHECK = {
ignore_name_disable_safety_check: 'true',
// (NOTE: diff1 only.)
// This disables a safety check intended to prevent:
// 1. Two owners toggling a record between two settings.
// 2. The other owner wiping all records at this label, which won't
// be noticed until the next time dnscontrol is run.
// See https://github.com/StackExchange/dnscontrol/issues/1106
};
// IGNORE(labelPattern, rtypePattern, targetPattern)
function IGNORE(labelPattern, rtypePattern, targetPattern) {
if (labelPattern === undefined) {
labelPattern = '*';
}
if (rtypePattern === undefined) {
rtypePattern = '*';
}
if (targetPattern === undefined) {
targetPattern = '*';
}
return function (d) {
// diff1
d.ignored_names.push({ pattern: labelPattern, types: rtypePattern });
// diff2
d.unmanaged.push({
label_pattern: labelPattern,
rType_pattern: rtypePattern,
target_pattern: targetPattern,
});
};
}
// IGNORE_NAME(name, rTypes)
@ -821,7 +867,9 @@ function IGNORE_NAME(name, rTypes) {
rTypes = '*';
}
return function (d) {
// diff1
d.ignored_names.push({ pattern: name, types: rTypes });
// diff2
d.unmanaged.push({
label_pattern: name,
rType_pattern: rTypes,
@ -829,18 +877,11 @@ function IGNORE_NAME(name, rTypes) {
};
}
var IGNORE_NAME_DISABLE_SAFETY_CHECK = {
ignore_name_disable_safety_check: 'true',
// This disables a safety check intended to prevent:
// 1. Two owners toggling a record between two settings.
// 2. The other owner wiping all records at this label, which won't
// be noticed until the next time dnscontrol is run.
// See https://github.com/StackExchange/dnscontrol/issues/1106
};
function IGNORE_TARGET(target, rType) {
return function (d) {
// diff1
d.ignored_targets.push({ pattern: target, type: rType });
// diff2
d.unmanaged.push({
rType_pattern: rType,
target_pattern: target,
@ -902,25 +943,6 @@ function AUTODNSSEC(d) {
);
}
function UNMANAGED(label_pattern, rType_pattern, target_pattern) {
return function (d) {
d.unmanaged.push({
label_pattern: label_pattern,
rType_pattern: rType_pattern,
target_pattern: target_pattern,
});
};
}
function DISABLE_UNMANAGED_SAFETY_CHECK(d) {
// This disables a safety check intended to prevent DNSControl and
// another system getting into a battle as they both try to update
// the same record over and over, back and forth. However, people
// kept asking for it so... caveat emptor!
// It only affects the current domain.
d.unmanaged_disable_safety_check = true;
}
/**
* @deprecated
*/

13
pkg/js/parse_tests/005-ignored-records.js
View File

@ -8,3 +8,16 @@ D("foo.com", "none"
, IGNORE_NAME("@")
, IGNORE_TARGET("@", "CNAME")
);
D("diff2.com", "none"
, IGNORE("mylabel")
, IGNORE("mylabel2", "")
, IGNORE("mylabel3", "", "")
, IGNORE("", "A")
, IGNORE("", "A,AAAA")
, IGNORE("", "", "mytarget")
, IGNORE("labelc", "CNAME", "targetc")
// Compatibility mode:
, IGNORE_NAME("nametest")
, IGNORE_TARGET("targettest1")
, IGNORE_TARGET("targettest2", "A")
);

96
pkg/js/parse_tests/005-ignored-records.json
View File

@ -66,7 +66,8 @@
},
{
"label_pattern": "legacyignore",
"rType_pattern": "*"
"rType_pattern": "*",
"target_pattern": "*"
},
{
"label_pattern": "@",
@ -77,6 +78,97 @@
"target_pattern": "@"
}
]
},
{
"name": "diff2.com",
"registrar": "none",
"dnsProviders": {},
"records": [],
"ignored_names": [
{
"pattern": "mylabel",
"types": "*"
},
{
"pattern": "mylabel2",
"types": ""
},
{
"pattern": "mylabel3",
"types": ""
},
{
"pattern": "",
"types": "A"
},
{
"pattern": "",
"types": "A,AAAA"
},
{
"pattern": "",
"types": ""
},
{
"pattern": "labelc",
"types": "CNAME"
},
{
"pattern": "nametest",
"types": "*"
}
],
"ignored_targets": [
{
"pattern": "targettest1",
"type": ""
},
{
"pattern": "targettest2",
"type": "A"
}
],
"unmanaged": [
{
"label_pattern": "mylabel",
"rType_pattern": "*",
"target_pattern": "*"
},
{
"label_pattern": "mylabel2",
"target_pattern": "*"
},
{
"label_pattern": "mylabel3"
},
{
"rType_pattern": "A",
"target_pattern": "*"
},
{
"rType_pattern": "A,AAAA",
"target_pattern": "*"
},
{
"target_pattern": "mytarget"
},
{
"label_pattern": "labelc",
"rType_pattern": "CNAME",
"target_pattern": "targetc"
},
{
"label_pattern": "nametest",
"rType_pattern": "*"
},
{
"target_pattern": "targettest1"
},
{
"rType_pattern": "A",
"target_pattern": "targettest2"
}
]
}
]
}
}

5
pkg/js/parse_tests/023-ignored-glob-records.json
View File

@ -16,9 +16,10 @@
"unmanaged": [
{
"label_pattern": "\\*.testignore",
"rType_pattern": "*"
"rType_pattern": "*",
"target_pattern": "*"
}
]
}
]
}
}

9
pkg/js/parse_tests/042-unmanaged.js
View File

@ -1,9 +0,0 @@
D("foo.com", "none"
, UNMANAGED("", "", "targetGlob1")
, UNMANAGED("", "CNAME", "")
, UNMANAGED("", "A", "targetGlob3")
, UNMANAGED("lab4")
, UNMANAGED("notype", "", "targetGlob5")
, UNMANAGED("lab6", "A, CNAME")
, UNMANAGED("lab7", "TXT", "targetGlob7")
);

40
pkg/js/parse_tests/042-unmanaged.json
View File

@ -1,40 +0,0 @@
{
"dns_providers": [],
"domains": [
{
"dnsProviders": {},
"name": "foo.com",
"records": [],
"registrar": "none",
"unmanaged": [
{
"target_pattern": "targetGlob1"
},
{
"rType_pattern": "CNAME"
},
{
"rType_pattern": "A",
"target_pattern": "targetGlob3"
},
{
"label_pattern": "lab4"
},
{
"label_pattern": "notype",
"target_pattern": "targetGlob5"
},
{
"label_pattern": "lab6",
"rType_pattern": "A, CNAME"
},
{
"label_pattern": "lab7",
"rType_pattern": "TXT",
"target_pattern": "targetGlob7"
}
]
}
],
"registrars": []
}

2
pkg/js/parse_tests/043-safety.js
View File

@ -1,5 +1,5 @@
D("unsafe.com", "none"
, DISABLE_UNMANAGED_SAFETY_CHECK
, DISABLE_IGNORE_SAFETY_CHECK
);
D("safe.com", "none"
);

9
pkg/normalize/validate.go
View File

@ -7,6 +7,7 @@ import (
"strings"
"github.com/StackExchange/dnscontrol/v4/models"
"github.com/StackExchange/dnscontrol/v4/pkg/diff2"
"github.com/StackExchange/dnscontrol/v4/pkg/transform"
"github.com/StackExchange/dnscontrol/v4/providers"
"github.com/miekg/dns"
@ -427,6 +428,14 @@ func ValidateAndNormalizeConfig(config *models.DNSConfig) (errs []error) {
// Populate FQDN:
rec.SetLabel(rec.GetLabel(), domain.Name)
// Warn if a diff1-only feature is used in diff2 mode.
if diff2.EnableDiff2 {
if _, ok := rec.Metadata["ignore_name_disable_safety_check"]; ok {
errs = append(errs, fmt.Errorf("IGNORE_NAME_DISABLE_SAFETY_CHECK no longer supported. Please use DISABLE_IGNORE_SAFETY_CHECK for the entire domain"))
}
}
}
}