octodns.record.tlsa

Classes

TlsaRecord(zone, name, data[, source, context])

TlsaValue(value)

TlsaValueBestPracticeValidator(id[, sets])

Checks that TLSA records do not use matching_type 0 (full DER-encoded certificate or public key stored verbatim).

TlsaValueRfcValidator(id[, sets])

Strict TLSA rdata validator per RFC 6698.

TlsaValueValidator(id[, sets])

Validates TLSA rdata: certificate_usage in [0, 3], selector in [0, 1], matching_type in [0, 2], and certificate_association_data is present.
class octodns.record.tlsa.TlsaValueValidator(id, sets=None)[source]

Bases: ValueValidator

Validates TLSA rdata: certificate_usage in [0, 3], selector in [0, 1], matching_type in [0, 2], and certificate_association_data is present.

validate(value_cls, data, _type)[source]

Validate a record’s rdata values.

Parameters:

  • value_cls (type) – The concrete value class being validated (e.g. MxValue, _Ipv4Value). Validators that need access to value class-level attributes (e.g. VALID_ALGORITHMS, _address_type) should read them from value_cls. Per-instance configuration should live on self, not on value_cls.

  • data (list | tuple | str | dict) – The rdata to validate. For multi-value record types this is a list/tuple of value dicts or strings; for single-value types it may be a bare value. Most validators iterate data directly — when a validator needs to accept either form it should normalize with if not isinstance(data, (list, tuple)): data = (data,).

  • _type (str) – The record type string (e.g. 'MX', 'A'). Passed through to helpers like _check_target_format which format it into their reason strings.

Returns:

A list of human-readable reason strings describing validation failures. Must return an empty list when the values are valid. Reasons from multiple validators are concatenated by the caller, so each reason must stand alone without context from the others.

Return type:

list[str]

Notes

Implementations must not raise on invalid input — all failures are reported via the returned list. Reason strings are surfaced verbatim in ValidationError messages, so phrasing and punctuation should be stable across releases.

class octodns.record.tlsa.TlsaValueRfcValidator(id, sets=None)[source]

Bases: ValueValidator

Strict TLSA rdata validator per RFC 6698.

  • certificate_usage, selector, and matching_type must each be integers in [0, 255] (uint8 fields).

  • certificate_association_data must be a valid hexadecimal string.

  • When matching_type is 1 (SHA-256), the data must be exactly 64 hex characters (32 bytes).

  • When matching_type is 2 (SHA-512), the data must be exactly 128 hex characters (64 bytes).

Enabled as part of the strict validator set:

manager:
  enabled:
    - strict
_hex_re = re.compile('^[0-9a-fA-F]+$')
_matching_type_lengths = {1: 64, 2: 128}
validate(value_cls, data, _type)[source]

Validate a record’s rdata values.

Parameters:

  • value_cls (type) – The concrete value class being validated (e.g. MxValue, _Ipv4Value). Validators that need access to value class-level attributes (e.g. VALID_ALGORITHMS, _address_type) should read them from value_cls. Per-instance configuration should live on self, not on value_cls.

  • data (list | tuple | str | dict) – The rdata to validate. For multi-value record types this is a list/tuple of value dicts or strings; for single-value types it may be a bare value. Most validators iterate data directly — when a validator needs to accept either form it should normalize with if not isinstance(data, (list, tuple)): data = (data,).

  • _type (str) – The record type string (e.g. 'MX', 'A'). Passed through to helpers like _check_target_format which format it into their reason strings.

Returns:

A list of human-readable reason strings describing validation failures. Must return an empty list when the values are valid. Reasons from multiple validators are concatenated by the caller, so each reason must stand alone without context from the others.

Return type:

list[str]

Notes

Implementations must not raise on invalid input — all failures are reported via the returned list. Reason strings are surfaced verbatim in ValidationError messages, so phrasing and punctuation should be stable across releases.

class octodns.record.tlsa.TlsaValueBestPracticeValidator(id, sets=None)[source]

Bases: ValueValidator

Checks that TLSA records do not use matching_type 0 (full DER-encoded certificate or public key stored verbatim).

RFC 7671 §4.1 advises against matching_type 0 in production: any certificate renewal requires a DNS update before the new certificate can be used. Use matching_type 1 (SHA-256) or 2 (SHA-512) instead.

Enabled as part of the best-practice validator set:

manager:
  enabled:
    - best-practice
validate(value_cls, data, _type)[source]

Validate a record’s rdata values.

Parameters:

  • value_cls (type) – The concrete value class being validated (e.g. MxValue, _Ipv4Value). Validators that need access to value class-level attributes (e.g. VALID_ALGORITHMS, _address_type) should read them from value_cls. Per-instance configuration should live on self, not on value_cls.

  • data (list | tuple | str | dict) – The rdata to validate. For multi-value record types this is a list/tuple of value dicts or strings; for single-value types it may be a bare value. Most validators iterate data directly — when a validator needs to accept either form it should normalize with if not isinstance(data, (list, tuple)): data = (data,).

  • _type (str) – The record type string (e.g. 'MX', 'A'). Passed through to helpers like _check_target_format which format it into their reason strings.

Returns:

A list of human-readable reason strings describing validation failures. Must return an empty list when the values are valid. Reasons from multiple validators are concatenated by the caller, so each reason must stand alone without context from the others.

Return type:

list[str]

Notes

Implementations must not raise on invalid input — all failures are reported via the returned list. Reason strings are surfaced verbatim in ValidationError messages, so phrasing and punctuation should be stable across releases.

class octodns.record.tlsa.TlsaValue(value)[source]

Bases: EqualityTupleMixin, dict

VALIDATORS = [<octodns.record.tlsa.TlsaValueValidator object>, <octodns.record.tlsa.TlsaValueRfcValidator object>, <octodns.record.tlsa.TlsaValueBestPracticeValidator object>]
classmethod _schema()[source]
classmethod parse_rdata_text(value)[source]
classmethod process(values)[source]
__init__(value)[source]
property certificate_usage
property selector
property matching_type
property certificate_association_data
property rdata_text
template(params)[source]
_equality_tuple()[source]
__repr__()[source]

Return repr(self).

class octodns.record.tlsa.TlsaRecord(zone, name, data, source=None, context=None)[source]

Bases: ValuesMixin, Record

REFERENCES = ('https://datatracker.ietf.org/doc/html/rfc6698', 'https://datatracker.ietf.org/doc/html/rfc7671', 'https://datatracker.ietf.org/doc/html/rfc7672', 'https://datatracker.ietf.org/doc/html/rfc7673')
_type = 'TLSA'
_value_type

alias of TlsaValue