DNS: stop auto-creating duplicate DMARC TXT records

CyberPanel previously added _dmarc at the apex (p=none) in two code paths and _dmarc on every child subdomain, which conflicts with a single externally managed policy (e.g. Cloudflare) and violates RFC 7489 (one TXT RRset per name). Comment out automatic DMARC creation so operators set one record at _dmarc.<apex> only.
2026-05-06 09:25:54 +02:00 · 2026-04-07 18:50:16 +02:00
parent 385a108014
commit f09f7b96b9
1 changed files with 9 additions and 3 deletions
--- a/plogical/dnsUtilities.py
+++ b/plogical/dnsUtilities.py
@@ -326,7 +326,9 @@ class DNS:
                    #                  auth=1)
                    # record.save()

-                    DNS.createDNSRecord(zone, "_dmarc." + topLevelDomain, "TXT", "v=DMARC1; p=none;", 0, 3600)
+                    # Apex DMARC: do not auto-add p=none here — use one TXT at _dmarc.<apex> in Cloudflare/DNS
+                    # to avoid conflicting duplicate DMARC records (invalid per RFC 7489).
+                    # DNS.createDNSRecord(zone, "_dmarc." + topLevelDomain, "TXT", "v=DMARC1; p=none;", 0, 3600)

                    # record = Records(domainOwner=zone,
                    #                  domain_id=zone.id,
@@ -489,7 +491,9 @@ class DNS:
                    #                  auth=1)
                    # record.save()

-                    DNS.createDNSRecord(zone, "_dmarc." + topLevelDomain, "TXT", "v=DMARC1; p=none;", 0, 3600)
+                    # Apex DMARC: do not auto-add p=none here — use one TXT at _dmarc.<apex> in Cloudflare/DNS
+                    # to avoid conflicting duplicate DMARC records (invalid per RFC 7489).
+                    # DNS.createDNSRecord(zone, "_dmarc." + topLevelDomain, "TXT", "v=DMARC1; p=none;", 0, 3600)

                    # record = Records(domainOwner=zone,
                    #                  domain_id=zone.id,
@@ -585,7 +589,9 @@ class DNS:
                #                  auth=1)
                # record.save()

-                DNS.createDNSRecord(zone, "_dmarc." + actualSubDomain, "TXT", "v=DMARC1; p=none;", 0, 3600)
+                # Do not auto-create subdomain _dmarc: one organizational policy at _dmarc.<apex> is enough for
+                # typical setups; avoids dozens of p=none records and Cloudflare clutter.
+                # DNS.createDNSRecord(zone, "_dmarc." + actualSubDomain, "TXT", "v=DMARC1; p=none;", 0, 3600)

                # record = Records(domainOwner=zone,
                #                  domain_id=zone.id,