octodns.record.ds

Classes

DsRecord(zone, name, data[, source, context])

DsValue(value)

DsValueBestPracticeValidator(id[, sets])

Checks DS records against deprecated algorithms and digest types per RFC 8624.

DsValueRfcValidator(id[, sets])

Strict DS rdata validator per RFC 4034 §5.1, RFC 4509, and RFC 6605.

DsValueValidator(id[, sets])

Validates DS rdata.
class octodns.record.ds.DsValueValidator(id, sets=None)[source]

Bases: ValueValidator

Validates DS rdata. Supports both the current field names (key_tag, algorithm, digest_type, digest) and the deprecated legacy field names (flags, protocol, algorithm, public_key), which will be removed in 2.0.

validate(value_cls, data, _type)[source]

Validate a record’s rdata values.

Parameters:

  • value_cls (type) – The concrete value class being validated (e.g. MxValue, _Ipv4Value). Validators that need access to value class-level attributes (e.g. VALID_ALGORITHMS, _address_type) should read them from value_cls. Per-instance configuration should live on self, not on value_cls.

  • data (list | tuple | str | dict) – The rdata to validate. For multi-value record types this is a list/tuple of value dicts or strings; for single-value types it may be a bare value. Most validators iterate data directly — when a validator needs to accept either form it should normalize with if not isinstance(data, (list, tuple)): data = (data,).

  • _type (str) – The record type string (e.g. 'MX', 'A'). Passed through to helpers like _check_target_format which format it into their reason strings.

Returns:

A list of human-readable reason strings describing validation failures. Must return an empty list when the values are valid. Reasons from multiple validators are concatenated by the caller, so each reason must stand alone without context from the others.

Return type:

list[str]

Notes

Implementations must not raise on invalid input — all failures are reported via the returned list. Reason strings are surfaced verbatim in ValidationError messages, so phrasing and punctuation should be stable across releases.

class octodns.record.ds.DsValueRfcValidator(id, sets=None)[source]

Bases: ValueValidator

Strict DS rdata validator per RFC 4034 §5.1, RFC 4509, and RFC 6605.

  • key_tag must be in [0, 65535] (uint16).

  • algorithm must be in [0, 255] (uint8).

  • digest_type must be in [0, 255] (uint8).

  • digest must be a valid hexadecimal string.

  • For known digest types, the digest length is enforced: type 1 (SHA-1) = 40 hex chars, type 2 (SHA-256) = 64 hex chars, type 4 (SHA-384) = 96 hex chars.

The deprecated legacy field names (flags, protocol, public_key) are not accepted in strict mode.

Enabled as part of the strict validator set:

manager:
  enabled:
    - strict
_hex_re = re.compile('^[0-9a-fA-F]+$')
_digest_type_lengths = {1: 40, 2: 64, 4: 96}
validate(value_cls, data, _type)[source]

Validate a record’s rdata values.

Parameters:

  • value_cls (type) – The concrete value class being validated (e.g. MxValue, _Ipv4Value). Validators that need access to value class-level attributes (e.g. VALID_ALGORITHMS, _address_type) should read them from value_cls. Per-instance configuration should live on self, not on value_cls.

  • data (list | tuple | str | dict) – The rdata to validate. For multi-value record types this is a list/tuple of value dicts or strings; for single-value types it may be a bare value. Most validators iterate data directly — when a validator needs to accept either form it should normalize with if not isinstance(data, (list, tuple)): data = (data,).

  • _type (str) – The record type string (e.g. 'MX', 'A'). Passed through to helpers like _check_target_format which format it into their reason strings.

Returns:

A list of human-readable reason strings describing validation failures. Must return an empty list when the values are valid. Reasons from multiple validators are concatenated by the caller, so each reason must stand alone without context from the others.

Return type:

list[str]

Notes

Implementations must not raise on invalid input — all failures are reported via the returned list. Reason strings are surfaced verbatim in ValidationError messages, so phrasing and punctuation should be stable across releases.

class octodns.record.ds.DsValueBestPracticeValidator(id, sets=None)[source]

Bases: ValueValidator

Checks DS records against deprecated algorithms and digest types per RFC 8624.

  • digest_type 1 (SHA-1) is NOT RECOMMENDED (§3.3); use digest_type 2 (SHA-256).

  • Signing algorithm values 1 (RSA/MD5), 3 (DSA/SHA1), 5 (RSA/SHA-1), 6 (DSA-NSEC3-SHA1), and 7 (RSASHA1-NSEC3-SHA1) are deprecated (§3.1).

Enabled as part of the best-practice validator set:

manager:
  enabled:
    - best-practice
_deprecated_algorithms = {1: 'RSA/MD5', 3: 'DSA/SHA1', 5: 'RSA/SHA-1', 6: 'DSA-NSEC3-SHA1', 7: 'RSASHA1-NSEC3-SHA1'}
validate(value_cls, data, _type)[source]

Validate a record’s rdata values.

Parameters:

  • value_cls (type) – The concrete value class being validated (e.g. MxValue, _Ipv4Value). Validators that need access to value class-level attributes (e.g. VALID_ALGORITHMS, _address_type) should read them from value_cls. Per-instance configuration should live on self, not on value_cls.

  • data (list | tuple | str | dict) – The rdata to validate. For multi-value record types this is a list/tuple of value dicts or strings; for single-value types it may be a bare value. Most validators iterate data directly — when a validator needs to accept either form it should normalize with if not isinstance(data, (list, tuple)): data = (data,).

  • _type (str) – The record type string (e.g. 'MX', 'A'). Passed through to helpers like _check_target_format which format it into their reason strings.

Returns:

A list of human-readable reason strings describing validation failures. Must return an empty list when the values are valid. Reasons from multiple validators are concatenated by the caller, so each reason must stand alone without context from the others.

Return type:

list[str]

Notes

Implementations must not raise on invalid input — all failures are reported via the returned list. Reason strings are surfaced verbatim in ValidationError messages, so phrasing and punctuation should be stable across releases.

class octodns.record.ds.DsValue(value)[source]

Bases: EqualityTupleMixin, dict

log = <Logger DsValue (WARNING)>
VALIDATORS = [<octodns.record.ds.DsValueValidator object>, <octodns.record.ds.DsValueRfcValidator object>, <octodns.record.ds.DsValueBestPracticeValidator object>]
classmethod _schema()[source]
classmethod parse_rdata_text(value)[source]
classmethod process(values)[source]
__init__(value)[source]
property key_tag
property algorithm
property digest_type
property digest
property data
property rdata_text
template(params)[source]
_equality_tuple()[source]
__repr__()[source]

Return repr(self).

class octodns.record.ds.DsRecord(zone, name, data, source=None, context=None)[source]

Bases: ValuesMixin, Record

REFERENCES = ('https://datatracker.ietf.org/doc/html/rfc4034', 'https://datatracker.ietf.org/doc/html/rfc4035', 'https://datatracker.ietf.org/doc/html/rfc4509', 'https://datatracker.ietf.org/doc/html/rfc6605', 'https://datatracker.ietf.org/doc/html/rfc6840', 'https://datatracker.ietf.org/doc/html/rfc8080', 'https://datatracker.ietf.org/doc/html/rfc8624')
_type = 'DS'
_value_type

alias of DsValue