sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix(public_dns): drop null-MX (Gandi rejects '0 .'); remove MX instead

Browse source 
Gandi LiveDNS rejects the RFC-7505 null-MX value '0 .' ('invalid format for MX
record'), which failed the live apply. No MX + no apex A = no mail delivery, and
SPF -all + DMARC reject still prevent spoofing — so remove Gandi's seeded MX (add
@/MX to absent) rather than declare a null-MX present. Assert now requires an SPF
@/TXT record; tests + Molecule sample updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-14 10:53:54 +02:00
parent 3cb6436ad2
commit 078d1ad9d9
4 changed files with 12 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
inventories/production/group_vars/all/public_dns.yml
View file

@ -4,9 +4,10 @@
# vault.gandi.pat. See docs/decisions/007-network.md and the M1 spec. # vault.gandi.pat. See docs/decisions/007-network.md and the M1 spec.
public_dns__domain: wingu.me public_dns__domain: wingu.me
# Present — anti-spoof baseline for a no-mail domain (overwrites Gandi's seeded mail set). # Present — anti-spoof baseline for a no-mail domain. No null-MX: Gandi LiveDNS rejects
# the RFC-7505 "0 ." form, so the MX is simply REMOVED (below) — no MX + no apex A means
# no mail delivery, and SPF -all + DMARC reject prevent spoofing.
public_dns__records: public_dns__records:
- {record: "@", type: MX, values: ["0 ."], ttl: 3600}
- {record: "@", type: TXT, values: ['"v=spf1 -all"'], ttl: 3600} - {record: "@", type: TXT, values: ['"v=spf1 -all"'], ttl: 3600}
- {record: _dmarc, type: TXT, values: ['"v=DMARC1; p=reject;"'], ttl: 3600} - {record: _dmarc, type: TXT, values: ['"v=DMARC1; p=reject;"'], ttl: 3600}
# Service records appear as public-tier needs arise (askari A in M4). # Service records appear as public-tier needs arise (askari A in M4).
@ -15,6 +16,7 @@ public_dns__records:
# Absent — Gandi's auto-seeded defaults we don't want (purged once, idempotent thereafter). # Absent — Gandi's auto-seeded defaults we don't want (purged once, idempotent thereafter).
public_dns__absent: public_dns__absent:
- {record: "@", type: A} # Gandi parking IP - {record: "@", type: A} # Gandi parking IP
- {record: "@", type: MX} # Gandi mail MX (no mail on wingu.me; null-MX unsupported)
- {record: www, type: CNAME} # Gandi web-redirect - {record: www, type: CNAME} # Gandi web-redirect
- {record: webmail, type: CNAME} # Gandi webmail - {record: webmail, type: CNAME} # Gandi webmail
- {record: gm1._domainkey, type: CNAME} # Gandi DKIM - {record: gm1._domainkey, type: CNAME} # Gandi DKIM

2
roles/public_dns/molecule/default/converge.yml
View file

@ -6,9 +6,9 @@
public_dns__apply: false # never call the Gandi API from a container public_dns__apply: false # never call the Gandi API from a container
public_dns__domain: example.test public_dns__domain: example.test
public_dns__records: public_dns__records:
- {record: "@", type: MX, values: ["0 ."], ttl: 3600}
- {record: "@", type: TXT, values: ['"v=spf1 -all"'], ttl: 3600} - {record: "@", type: TXT, values: ['"v=spf1 -all"'], ttl: 3600}
public_dns__absent: public_dns__absent:
- {record: www, type: CNAME} - {record: www, type: CNAME}
- {record: "@", type: MX}
roles: roles:
- role: public_dns - role: public_dns

5
roles/public_dns/tasks/main.yml
View file

@ -3,9 +3,10 @@
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- public_dns__domain | length > 0 - public_dns__domain | length > 0
- public_dns__records | selectattr('type', 'equalto', 'MX') | list | length > 0 - public_dns__records | selectattr('record', 'equalto', '@')
| selectattr('type', 'equalto', 'TXT') | list | length > 0
fail_msg: >- fail_msg: >-
public_dns__domain must be set and a null-MX anti-spoof record declared in public_dns__domain must be set and an SPF record (@/TXT) declared in
public_dns__records (group_vars/all/public_dns.yml). public_dns__records (group_vars/all/public_dns.yml).
run_once: true run_once: true

6
tests/test_public_dns.py
View file

@ -8,8 +8,10 @@ _DATA = (
) )
# Gandi auto-seeds these on a fresh .me zone; boma purges them (verified 2026-06-14). # Gandi auto-seeds these on a fresh .me zone; boma purges them (verified 2026-06-14).
# Includes the @ MX: Gandi rejects the RFC-7505 null-MX "0 .", so we remove the MX
# entirely (no MX + no apex A = no mail) rather than declare a null-MX present.
GANDI_DEFAULTS_ABSENT = { GANDI_DEFAULTS_ABSENT = {
("@", "A"), ("www", "CNAME"), ("webmail", "CNAME"), ("@", "A"), ("@", "MX"), ("www", "CNAME"), ("webmail", "CNAME"),
("gm1._domainkey", "CNAME"), ("gm2._domainkey", "CNAME"), ("gm3._domainkey", "CNAME"), ("gm1._domainkey", "CNAME"), ("gm2._domainkey", "CNAME"), ("gm3._domainkey", "CNAME"),
("_imap._tcp", "SRV"), ("_imaps._tcp", "SRV"), ("_pop3._tcp", "SRV"), ("_imap._tcp", "SRV"), ("_imaps._tcp", "SRV"), ("_pop3._tcp", "SRV"),
("_pop3s._tcp", "SRV"), ("_submission._tcp", "SRV"), ("_pop3s._tcp", "SRV"), ("_submission._tcp", "SRV"),
@ -32,9 +34,9 @@ def test_present_records_well_formed():
def test_anti_spoof_baseline_present(): def test_anti_spoof_baseline_present():
recs = {(r["record"], r["type"]): r["values"] for r in _load()["public_dns__records"]} recs = {(r["record"], r["type"]): r["values"] for r in _load()["public_dns__records"]}
assert recs[("@", "MX")] == ["0 ."] # null MX
assert recs[("@", "TXT")] == ['"v=spf1 -all"'] # SPF deny-all assert recs[("@", "TXT")] == ['"v=spf1 -all"'] # SPF deny-all
assert recs[("_dmarc", "TXT")] == ['"v=DMARC1; p=reject;"'] assert recs[("_dmarc", "TXT")] == ['"v=DMARC1; p=reject;"']
assert ("@", "MX") not in recs # no MX (Gandi rejects null-MX; removed instead)
def test_gandi_defaults_marked_absent(): def test_gandi_defaults_marked_absent():