* Add multiple string support to SPF optimizer
Notes:
* This implements [RFC 4408][rfc] for the SPF optimizer. Allowing for
more SPF records to fit within the 10 lookups by using multiple strings.
* By default the max size of the TXT remains at 255. Meaning users will
still only get a single 255 length string unless they modify `txtMaxSize`
and opt into this feature.
* The general recommendation when using multiple strings for TXT records
is to keep the size within a single UDP packet. It seems like the
maximum size for this depends on a bunch of factors that are sometimes
outside of your control. A similar tool has a [formula for estimating the
maximum allowed size][formula]. However I felt giving a user
configurable size would fit with the current configuration style that
dnscontrol has. Similar to how dnscontrol recommends only flattening a
record if absolutely needed, I can see this length being increased by
only enough to get you within 10 lookups.
[rfc]: https://tools.ietf.org/html/rfc4408#section-3.1.3
[formula]: https://github.com/oasys/mkspf/blob/master/Overhead.md
* Add a nice comment for the Chunks function
Open to other configuration opens for how best to make this optional. Or
potentially making this an opt in configuration item which would be a
breaking change.
The main reason that someone would want to disable this is if their raw
SPF record goes over the 255 characters. This is potentially another
place that could get some multi string support. But as it is only used
for debugging purposes it seems like there should be a way to outright
disable it too.
This functionality is required by the GCLOUD provider, which supports
recordsets of type DS but only for child records of the zone, to enable
further delegation. It does not support them at the apex of the zone (@)
because Google Cloud DNS is not itself a registrar which needs to model
this information.
A related change (14ff68b151b5db1f24bcdaccb30b6fa95897940a, #760) was
previously introduced to enable DS support in Google, which broke
integration tests with this provider.
To cleanly support this, we introduce a new provider capability
CanUseDSForChildren and appropriate integration tests. Further, it is no
longer possible to verify a provider has the proper capabilities for a
zone simply by existence of particular records; we adapt the capability
checks to enable inspection of the individual recordsets where this is
required.
Closes #762
* get-certs.md: correct flag names
* Update get-certs.md
added all flags per current `--help` output; rearranged ordering to match `--help`; removed the deprecated `--verbose`
Thanks to @haraldkoch for starting this, @McNetic for picking it up.
* Added DS record type
* Added DS for cloudflare provider with tests
* Removed DS validation, fixed parse test
* Added generated files
* Added dnsimple ds record
* Regenerated documentation matrix
* rebased and regenerated
* Updated integration tests
* Rebase and regenerate
* Enable DS record type for provider desec
* Added DS record type
* Added DS for cloudflare provider with tests
* Removed DS validation, fixed parse test
* Added generated files
* Added dnsimple ds record
* Regenerated documentation matrix
* rebased and regenerated
* Updated integration tests
* Rebase and regenerate
* Enable DS record type for provider desec
* Rebase and fixes
Co-authored-by: Robert Koch <robert@kochie.io>
Co-authored-by: Nicolai Ehemann <nicolai.ehemann@enerko-informatik.de>
