fix(api): disallow CNAME RRset with several records (RFC 1034, 3.6.2)

api/desecapi/models.py

@@ -518,6 +518,9 @@ class RRset(ExportModelOperationsMixin('RRset'), models.Model):
         rdtype = rdatatype.from_text(self.type)
         errors = []
 
+        if self.type == 'CNAME' and len(records_presentation_format) > 1:
+            errors.append('RRset of type CNAME cannot have multiple records.')
+
         def _error_msg(record, detail):
             return f'Record content of {self.type} {self.name} invalid: \'{record}\': {detail}'
 

api/desecapi/tests/test_rrsets.py

@@ -282,11 +282,15 @@ class AuthenticatedRRSetTestCase(AuthenticatedRRSetBaseTestCase):
         self.assertStatus(response, status.HTTP_200_OK)
         self.assertRRSetsCount(response.data, [data], count=0)
 
-
     def test_create_my_rr_sets_empty_payload(self):
         response = self.client.post_rr_set(self.my_empty_domain.name)
         self.assertContains(response, 'No data provided', status_code=status.HTTP_400_BAD_REQUEST)
 
+    def test_create_my_rr_sets_cname_two_records(self):
+        data = {'subname': 'sub', 'records': ['example.com.', 'example.org.'], 'ttl': 3600, 'type': 'CNAME'}
+        response = self.client.post_rr_set(self.my_domain.name, **data)
+        self.assertStatus(response, status.HTTP_400_BAD_REQUEST)
+
     def test_create_my_rr_sets_canonical_content(self):
         # TODO fill in more examples
         datas = [