fix(api): disallow tinkering with OPT RRset

OPT is a reserved record type with special meaning and is not supposed
to exist in a zone. Currently, if an OPT RRset is created, the zone may
break.

Until PowerDNS ensures that RRsets of type OPT cannot created, let's
make sure on this level.

PowerDNS issue: https://github.com/PowerDNS/pdns/issues/6441

api/desecapi/models.py

@@ -406,7 +406,7 @@ class RRset(models.Model, mixins.SetterMixin):
     ttl = models.PositiveIntegerField(validators=[MinValueValidator(1)])
 
     _dirty = False
-    RESTRICTED_TYPES = ('SOA', 'RRSIG', 'DNSKEY', 'NSEC3PARAM')
+    RESTRICTED_TYPES = ('SOA', 'RRSIG', 'DNSKEY', 'NSEC3PARAM', 'OPT')
 
 
     class Meta:

test/e2e/spec/api_spec.js

@@ -244,6 +244,8 @@ describe("API", function () {
                                 {'ttl': 40, 'type': 'TXT', 'records': ['"bar"']},
                                 {'subname': 'c.1', 'records': ['dead::beef'], 'type': 'AAAA'},
                                 {'subname': 'd.1', 'ttl': 50, 'type': 'AAAA'},
+                                {'subname': 'd.1', 'ttl': 50, 'type': 'SOA', 'records': ['ns1.desec.io. peter.desec.io. 2018034419 10800 3600 604800 60']},
+                                {'subname': 'd.1', 'ttl': 50, 'type': 'OPT', 'records': ['9999']},
                             ]
                         );
                         expect(response).to.have.status(400);
@@ -253,6 +255,8 @@ describe("API", function () {
                             {},
                             { ttl: [ 'This field is required.' ] },
                             { records: [ 'This field is required.' ] },
+                            { type: [ 'You cannot tinker with the SOA RRset.' ] },
+                            { type: [ 'You cannot tinker with the OPT RRset.' ] },
                         ]);
 
                         return chakram.wait();