4 年之前 · d136094f37
--- a/api/desecapi/models.py
+++ b/api/desecapi/models.py
@@ -572,7 +572,7 @@ class RRset(ExportModelOperationsMixin('RRset'), models.Model):
 
				             if self.subname == '':
			
 
				                 errors.append('CNAME RRset cannot have empty subname.')
			
 
				             if len(records_presentation_format) > 1:
			
 
				-                errors.append('RRset of type CNAME cannot have multiple records.')
			
 
				+                errors.append('CNAME RRset cannot have multiple records.')
			
 
				 
			
 
				         def _error_msg(record, detail):
			
 
				             return f'Record content of {self.type} {self.name} invalid: \'{record}\': {detail}'
			
--- a/api/desecapi/tests/test_rrsets.py
+++ b/api/desecapi/tests/test_rrsets.py
@@ -188,6 +188,13 @@ class AuthenticatedRRSetTestCase(AuthenticatedRRSetBaseTestCase):
 
				         response = self.client.post_rr_set(self.my_empty_domain.name, **data)
			
 
				         self.assertContains(response, 'CNAME RRset cannot have empty subname', status_code=status.HTTP_400_BAD_REQUEST)
			
 
				 
			
 
				+    def test_create_my_rr_sets_cname_multple_records(self):
			
 
				+        for records in (['foobar.com.', 'foobar.com.'], ['foobar.com.', 'foobar.org.']):
			
 
				+            data = {'subname': 'asdf', 'ttl': 3600, 'type': 'CNAME', 'records': records}
			
 
				+            response = self.client.post_rr_set(self.my_empty_domain.name, **data)
			
 
				+            self.assertContains(response, 'CNAME RRset cannot have multiple records',
			
 
				+                                status_code=status.HTTP_400_BAD_REQUEST)
			
 
				+
			
 
				     def test_create_my_rr_sets_cname_exclusivity(self):
			
 
				         self.create_rr_set(self.my_domain, ['1.2.3.4'], type='A', ttl=3600, subname='a')
			
 
				         self.create_rr_set(self.my_domain, ['example.com.'], type='CNAME', ttl=3600, subname='cname')
			
--- a/docs/dns/rrsets.rst
+++ b/docs/dns/rrsets.rst
@@ -543,8 +543,7 @@ Restricted Types
 
				     These record types are used very rarely in the wild.  Due to conflicts with
			
 
				     the security guarantees we would like to give, these record types are
			
 
				     disabled in our API.  If you attempt to create such RRsets, you will receive
			
 
				-    a ``400 Bad Request`` response.  In case you have a good reason for using
			
 
				-    these record types, shoot us an email and we can discuss your case.
			
 
				+    a ``400 Bad Request`` response.
			
 
				 
			
 
				 ``DNSKEY``, ``NSEC3PARAM``, ``RRSIG``
			
 
				     These record types are meant to provide DNSSEC-related information in
			
@@ -586,28 +585,17 @@ Record types with priority field
 
				     ``10 mx.example.com.``).
			
 
				 
			
 
				 ``CNAME`` record
			
 
				-    - The record value must be terminated by a dot ``.`` (as in
			
 
				+    - The record value (target) must be terminated by a dot ``.`` (as in
			
 
				       ``example.com.``).
			
 
				 
			
 
				-    - If you create a ``CNAME`` record, its presence will cause other RRsets of
			
 
				-      the same name to be hidden ("occluded") from the public (i.e. in
			
 
				-      responses to DNS queries).  This is per RFC 1912.
			
 
				-
			
 
				-      However, as far as the API is concerned, you can still retrieve and
			
 
				-      manipulate those additional RRsets.  In other words, ``CNAME``-induced
			
 
				-      hiding of additional RRsets does not apply when looking at the zone
			
 
				-      through the API.
			
 
				-
			
 
				-    - It is currently possible to create a ``CNAME`` RRset with several
			
 
				-      records.  However, this is not legal, and the response to queries for
			
 
				-      such RRsets is undefined.  In short, don't do it.
			
 
				-
			
 
				-    - Similarly, you are discouraged from creating a ``CNAME`` RRset for the
			
 
				-      zone apex (main domain name, empty ``subname``).  Doing so will most
			
 
				-      likely break your domain (for example, any ``NS`` records that are
			
 
				-      present will disappear from DNS responses), and other undefined behavior
			
 
				-      may occur.  In short, don't do it.  If you are interested in aliasing
			
 
				-      the zone apex, consider using an ``ALIAS`` RRset.
			
 
				+    - RRsets cannot have multiple values.  This is a limitation of the DNS
			
 
				+      specification.
			
 
				+
			
 
				+    - A ``CNAME`` record is not allowed when other records exist at the same
			
 
				+      subname.  In particular, this means that a CNAME is not allowed at the
			
 
				+      zone apex (empty subname), as it will always collide with the NS record
			
 
				+      (and the internally managed SOA record).  This is a limitation of
			
 
				+      the DNS specification.
			
 
				 
			
 
				 ``MX`` record
			
 
				     The ``MX`` record value consists of the priority value and a mail server