Error: Provided object is not valid. Got a InvalidObject error with message Empty spaces are not allowed in TXT record, unless wrapped in double quotes.
search cancel

Error: Provided object is not valid. Got a InvalidObject error with message Empty spaces are not allowed in TXT record, unless wrapped in double quotes.

book

Article ID: 421804

calendar_today

Updated On:

Products

VMware Integrated OpenStack

Issue/Introduction

  • Attempting to create a DKIM TXT record (or any TXT record longer than 255 characters) using the OpenStack CLI, the operation fails.
  • Users may encounter the following error message when attempting to pass a split string via the CLI:
    Provided object is not valid. Got a InvalidObject error with message Quotation marks should be escaped with backslash.
  • API returns 400 Bad Request.
  • CLI commands fail to parse escaped quotes correctly.
  • DNS resolvers fail to retrieve the full key if not split correctly.

Environment

7.x

Cause

There are two contributing causes to this issue:

  1. DNS Protocol Constraint:
     RFC 1035 specifies that a single character string within a TXT record cannot exceed 255 octets. Records longer than this (such as 2048-bit DKIM keys) must be split into multiple quoted strings within a single record.

  2. CLI/Shell Parsing:
    The OpenStack CLI and local shell environments often strip the backslash escape characters (\") needed to define multiple strings inside a JSON payload. This causes the Designate API to receive malformed JSON.

Resolution

Workaround:

  1. Obtain Authentication Details
    Retrieve your current authentication token and the public DNS endpoint URL:

    example:
    Bash:

    export OS_TOKEN=$(openstack token issue -c id -f value) export DNS_ENDPOINT=$(openstack endpoint list --service dns --interface public -c URL -f value)

  2. Format the Payload:
    Split the long DKIM string into two parts (e.g., ~240 characters and the remainder). Ensure they are wrapped in escaped quotes (\") and separated by a space.

  3. Execute the Request:
    Run the following command, replacing <ZONE_ID>, <RECORD_NAME>, and the key segments with your specific values:

    example:
    Bash:

    curl -X POST "$DNS_ENDPOINT/v2/zones/<ZONE_ID>/recordsets" \
      -H "X-Auth-Token: $OS_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
        "name": "<RECORD_NAME>",
        "type": "TXT",
        "ttl": 3600,
        "records": [
          "\"v=DKIM1; k=rsa; p=PART_1_OF_KEY...\" \"...PART_2_OF_KEY\""
        ]
      }'

 

 

Additional Information

 

  • DNS resolvers automatically concatenate multiple strings returned in a single TXT record. The space between the split strings in the JSON payload is necessary for Designate to parse them as separate arguments, but it is ignored by the resolver during concatenation.

  • RFC 1035 - Domain Names - Implementation and Specification

 

Powered by Wolken Software