Did you forget to escape the newlines in your curl command line?
Otherwise I’m not sure. Maybe you need to include escaped quotes in the value of the TXT record?
I.e. "\"v=DKIM1; …\""
At least that is what I get when doing a GET on the RRsets of a domain when there are TXT records.
If that turns out to be the issue then the error message seems a bit misleading.
I’m also unsure about the extra whitespace in the form of line feeds in your TXT value.
Not sure about that one either. The message seems unrelated to the previous error message. Is your API token valid, i.e. is the value of API_TOKEN set correctly? You could test with something like:
@nhazadian, are you sure this output really comes from deSEC? I’m not aware that we send any responses containing a “result” field. It looks somewhat like you may be reformatting the output using your shell, and that causes the error. Is that possible?
Good point with masking the API tokens; I’ve edited accordingly.
I started this thread with my one original curl command. The -v output is from that command.
That seems very unlikely, as the error message in the response bodies are different.
The best way to debug is to copy command and output together from your terminal. Make sure that nothing is changed (not even the style of double quotes – they seem changed in your first post). We need a literal 1:1 copy of what happened.
I’ll stop responding here until that’s provided (no offense; I just can’t help you any further).
My original post was an exact copy of the input and output together from my terminal. I do not know why the result with -v was different. Should I provide screenshots?
Now it appears the only response I get is “Invalid token.” I don’t know why that would be.
My AI (which recommended you) thinks that the problem is a bug in your software. I’m not so sure.
My ISP has offered free DNS, with the added advantage of maintaining the DKIM entry for me. I declined since I wanted to support your excellent free service. But if I don’t get some help with this soon, I’ll have to look elsewhere. (No offense, I’ve just got to get my email working.)
Well, Peter, as YOU wrote: “Community support is essential for spreading the use of deSEC’s secure DNS service.”
Now if I have to ask my question in an email to support, I can do that, no problem. Just let me know.
It would be helpful to know how I can test my token.
This will either return status code 200 (and the list of domains in your account) or status code 401. The latter means that the token is not valid.
However, I believe token validity is among the first things that the API checks for a request. Since you already got a “Invalid token” response somewhere else, you’ll get the same for this simple test unless something is very wrong.
This means, you’ll have to create a new token and use that.
But this whole thread strikes me as a bit of a XY problem. You posted a curl command that does not work. But what do you actually want to achieve? Get the curl command right? Or set up some DNS records? In the latter case, you may want to look into Tools implementing deSEC for some community tools that provide a somewhat simplified abstraction layer for the API.
I have a script that lets me add a DKIM record when my ISP notifies me that there is a new one to be added. The curl command I posted is what the script runs to do the update. When I run it now, I get “Invalid token.”, whereas yesterday the identical script produced a completely different answer. Looks like I’ve been blacklisted.
I’m not aware of deSEC doing that. The API may rate limit you, but in that case you’ll get a response that clearly indicates this.
Are you still using the same token that you posted in Update not working - #6 by nhazadian? Peter invalidated that to protect your account. Or did you create a new one in the mean time?
A link to this script might be helpful to better understand what you are doing here.
Rate limits on requests; requests are answered with an appropriate error message and an estimation when the next successful request can be made (§1 ToU).
Closing accounts and disconnecting domains for criminal activity, including denylisting abused IP ranges (§5 ToU).
Neither is the case here. Your token seems to have been deactivated because you posted it publicly - but it’s supposed to be private as it can control your account.
Yes, my token was publicized for some minutes before I corrected that. That was my mistake, and deactivation was arguably justified. I say arguably because only my domain was impacted by the breach. The publication put only my domain in danger, and, given that it was public only for some minutes, a simple warning to replace the token with a new one would perhaps have been more appropriate.
Less justifiable is that I was not notified of the deactivation, either in deSEC or by email. After all, my dyndns script also uses that token, and if my IP gets changed, my email server can neither receive nor send email. IMHO, any deactivation should at the very least automatically issue a notification in deSEC.
Discourse keeps a history of all post edits, so the token value can still be viewed. Click the edit indicator in the upper right corner of your post to check for yourself.
I like the idea of email notifications for token creation, deactivation, and generally all security relevant actions on the account.
deSEC is a charitable organization with limited resources, so we don’t know if and when this makes it to the top of our priority list. However, if you’d submit a pull request with the appropriate code changes, this change can probably land soon as deSEC only needs to review.
I got myself a shiny new token. After about 90 minutes, I’m still getting “Invalid token.” in response to the query for my domains.
As for my script, it’s a simple affair which simply take a couple strings from the command line and uses them to assemble the curl command that I presented at the start of this thread. The intent is to add a new DKIM record that my ISP has specified.