dns: move the quoting of TXT records to when we write the zone file so that we can display it unquoted in the External DNS instructions

management/dns_update.py

@@ -169,7 +169,7 @@ def build_zone(domain, all_domains, additional_records, env, is_zone=True):
 
 	# SPF record: Permit the box ('mx', see above) to send mail on behalf of
 	# the domain, and no one else.
-	records.append((None,  "TXT", '"v=spf1 mx -all"', "Recommended. Specifies that only the box is permitted to send @%s mail." % domain))
+	records.append((None,  "TXT", 'v=spf1 mx -all', "Recommended. Specifies that only the box is permitted to send @%s mail." % domain))
 
 	# Add DNS records for any subdomains of this domain. We should not have a zone for
 	# both a domain and one of its subdomains.
@@ -213,11 +213,12 @@ def build_zone(domain, all_domains, additional_records, env, is_zone=True):
 	if os.path.exists(opendkim_record_file):
 		# Append the DKIM TXT record to the zone as generated by OpenDKIM, after string formatting above.
 		with open(opendkim_record_file) as orf:
-			m = re.match(r"(\S+)\s+IN\s+TXT\s+(\(.*\))\s*;", orf.read(), re.S)
+			m = re.match(r'(\S+)\s+IN\s+TXT\s+\( "([^"]+)"\s+"([^"]+)"\s*\)', orf.read(), re.S)
-			records.append((m.group(1), "TXT", m.group(2), "Recommended. Provides a way for recipients to verify that this machine sent @%s mail." % domain))
+			val = m.group(2) + m.group(3)
+			records.append((m.group(1), "TXT", val, "Recommended. Provides a way for recipients to verify that this machine sent @%s mail." % domain))
 
 		# Append a DMARC record.
-		records.append(("_dmarc", "TXT", '"v=DMARC1; p=quarantine"', "Optional. Specifies that mail that does not originate from the box but claims to be from @%s is suspect and should be quarantined by the recipient's mail system." % domain))
+		records.append(("_dmarc", "TXT", 'v=DMARC1; p=quarantine', "Optional. Specifies that mail that does not originate from the box but claims to be from @%s is suspect and should be quarantined by the recipient's mail system." % domain))
 
 	# Sort the records. The None records *must* go first in the nsd zone file. Otherwise it doesn't matter.
 	records.sort(key = lambda rec : list(reversed(rec[0].split(".")) if rec[0] is not None else ""))
@@ -261,11 +262,6 @@ def get_custom_records(domain, additional_records, env):
 			if rtype == "AAAA" and value2 == "local":
 				if "PUBLIC_IPV6" not in env: continue # no IPv6 address is available so don't set anything
 				value2 = env["PUBLIC_IPV6"]
-
-			# For typical zone file output, quote a text record.
-			if rtype == "TXT":
-				value2 = "\"" + value2 + "\""
-
 			yield (qname, rtype, value2)
 
 ########################################################################
@@ -363,6 +359,10 @@ $TTL 1800           ; default time to live
 		if subdomain:
 			zone += subdomain
 		zone += "\tIN\t" + querytype + "\t"
+		if querytype == "TXT":
+			value = value.replace('\\', '\\\\') # escape backslashes
+			value = value.replace('"', '\\"') # escape quotes
+			value = '"' + value + '"' # wrap in quotes
 		zone += value + "\n"
 
 	# DNSSEC requires re-signing a zone periodically. That requires