CLOUDFLAREAPI: Prevent web UI from displaying warnings about TXT records (#3834)

tlimoncelli · web-flow · commit ae9759d831ed · 2026-01-25T09:07:21.000-05:00
# Issue The way that DNSControl does its TXT record updates results in the Cloudflare web dashboard telling people that they're bad people and should feel bad. # Resolution Guess Cloudflare's mystery protocol and encode data by what we think is correct. NOTE: Existing TXT records will not be fixed. The updated doc (https://docs.dnscontrol.org/provider/cloudflareapi) explains ways to manually remove the error.
diff --git a/documentation/assets/providers/cloudflareapi/invalid-warning.png b/documentation/assets/providers/cloudflareapi/invalid-warning.png
diff --git a/documentation/provider/cloudflareapi.md b/documentation/provider/cloudflareapi.md
@@ -390,6 +390,23 @@ were created outside of DNSControl.
 Cloudflare has restrictions that may result in DNSControl's attempt to insert
 DS records to fail.
 
+## TXT records
+
+Do you see this warning in the Cloudflare dashboard?
+
+> "The content field of TXT records must be in quotation marks. Cloudflare may
+> add quotation marks on your behalf, which will not affect how the record
+> works."
+
+![Cloudflare dumb TXT warning](../assets/providers/cloudflareapi/invalid-warning.png)
+
+TXT records created/updated by DNSControl v4.31.1 and prior will produce this warning. It is meaningless and should be ignored.
+
+If you are unable to ignore the warning, any of these will remove it:
+
+* In the Cloudflare dashboard, click to edit the record and immediately save it. As of 2026-01-21, Cloudflare's UI can fix the issue, not just complain about it.
+* Force DNSControl to update the record. Either change it (make an inconsequential change), or delete the TXT record and allow DNSControl to recreate it.
+
 ## Integration testing
 
 The integration tests assume that Cloudflare Workers are enabled and the credentials used
diff --git a/pkg/txtutil/txtcode_test.go b/pkg/txtutil/txtcode_test.go
@@ -65,6 +65,8 @@ func TestTxtDecode(t *testing.T) {
 		{`"q4backs\\\\lash"`, []string{`q4backs\\lash`}},
 		// HETZNER includes a space after the last quote. Make sure we handle that.
 		{`"one" "more" `, []string{`one`, `more`}},
+		// Edge case: unquoted strings are treated as literals to be joined with no space!
+		{`v=spf1 -all`, []string{`v=spf1-all`}},
 	}
 	for i, test := range tests {
 		got, err := txtDecode(test.data)
@@ -84,6 +86,8 @@ func TestTxtEncode(t *testing.T) {
 		data     []string
 		expected string
 	}{
+		{[]string{"simple"}, `"simple"`},
+		{[]string{`"quoted"`}, `"\"quoted\""`},
 		{[]string{}, `""`},
 		{[]string{``}, `""`},
 		{[]string{`foo`}, `"foo"`},
diff --git a/providers/cloudflare/auditrecords.go b/providers/cloudflare/auditrecords.go
@@ -11,9 +11,7 @@ import (
 func AuditRecords(records []*models.RecordConfig) []error {
 	a := rejectif.Auditor{}
 
-	a.Add("TXT", rejectif.TxtHasTrailingSpace) // Last verified 2022-06-18
-
-	a.Add("TXT", rejectif.TxtIsEmpty) // Last verified 2022-06-18
+	a.Add("TXT", rejectif.TxtIsEmpty) // Last verified 2026-01-21
 
 	return a.Audit(records)
 }
diff --git a/providers/cloudflare/cloudflareProvider.go b/providers/cloudflare/cloudflareProvider.go
@@ -19,6 +19,7 @@ import (
 	"github.com/StackExchange/dnscontrol/v4/pkg/printer"
 	"github.com/StackExchange/dnscontrol/v4/pkg/providers"
 	"github.com/StackExchange/dnscontrol/v4/pkg/transform"
+	"github.com/StackExchange/dnscontrol/v4/pkg/txtutil"
 	"github.com/StackExchange/dnscontrol/v4/pkg/zonecache"
 	"github.com/StackExchange/dnscontrol/v4/providers/cloudflare/rtypes/cfsingleredirect"
 )
@@ -800,7 +801,11 @@ func (c *cloudflareProvider) nativeToRecord(domain string, cr cloudflare.DNSReco
 			return nil, fmt.Errorf("unparsable SRV record received from cloudflare: %w", err)
 		}
 	case "TXT":
-		err := rc.SetTargetTXT(cr.Content)
+		s, err := parseCfTxtContent(cr.Content)
+		if err != nil {
+			return rc, err
+		}
+		err = rc.SetTargetTXT(s)
 		return rc, err
 	default:
 		if err := rc.PopulateFromString(rType, cr.Content, domain); err != nil {
@@ -811,6 +816,55 @@ func (c *cloudflareProvider) nativeToRecord(domain string, cr cloudflare.DNSReco
 	return rc, nil
 }
 
+func parseCfTxtContent(s string) (string, error) {
+	// Cloudflare encodes TXT records in a mystery format. They tell you when
+	// you've done something wrong, but won't document what they do want.
+	// If you use their web dashboard and enter the string as any normal human
+	// would, they display a warning that you're a bad person and should feel
+	// bad for doing that.  However, they accept it just fine, and present it in
+	// their API as a string like any person on this planet would expect.  If
+	// you enter the string with quotes, they accept that like a BIND zonefile.
+
+	// There is a difference between what you enter in their web dashboard, how
+	// it is rewritten by the UI, and what you get in the JSON. Examples:
+
+	// dashboard: i love dns it is great
+	// rewritten: "i love dns it is great"
+	// seen json: "i love dns it is great"
+
+	// dashboard: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+	// rewritten: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+	// seen json: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+	// dashboard: "i love dns" "it is great"
+	// rewritten: "i love dns" "it is great"
+	// seen json: "i love dns" "it is great"
+
+	// dashboard: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+	// rewritten: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+	// seen json: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+	// dashboard: "xxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+	// rewritten: "xxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+	// seen json: "xxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+	// From this we conclude:
+	// If it begins and ends with a quote, use ParseQuoted() to decode it.
+	// Otherwise, it is a raw string. They could just fucking tell us that in
+	// the documenation, but where's the fun in that?
+
+	if s == "" {
+		return "", nil
+	}
+	if s == `"` {
+		return "", errors.New("invalid TXT record content: one double quote")
+	}
+	if s[0] == '"' && s[len(s)-1] == '"' {
+		return txtutil.ParseQuoted(s)
+	}
+	return s, nil
+}
+
 func getProxyMetadata(r *models.RecordConfig) map[string]string {
 	if r.Type != "A" && r.Type != "AAAA" && r.Type != "CNAME" {
 		return nil
diff --git a/providers/cloudflare/parsecftxtcontent_test.go b/providers/cloudflare/parsecftxtcontent_test.go
@@ -0,0 +1,76 @@
+package cloudflare
+
+import (
+	"testing"
+)
+
+func TestParseCfTxtContent(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   string
+		want    string
+		wantErr bool
+	}{
+		{
+			name:    "empty string",
+			input:   "",
+			want:    "",
+			wantErr: false,
+		},
+		{
+			name:    "unquoted string",
+			input:   "simple text",
+			want:    "simple text",
+			wantErr: false,
+		},
+		{
+			name:    "quoted string",
+			input:   `"quoted text"`,
+			want:    "quoted text",
+			wantErr: false,
+		},
+		{
+			name:    "quoted string with spaces",
+			input:   `"text with spaces"`,
+			want:    "text with spaces",
+			wantErr: false,
+		},
+		{
+			name:    "only opening quote",
+			input:   `"incomplete`,
+			want:    `"incomplete`,
+			wantErr: false,
+		},
+		{
+			name:    "only closing quote",
+			input:   `incomplete"`,
+			want:    `incomplete"`,
+			wantErr: false,
+		},
+		{
+			name:    "single quote char",
+			input:   `"`,
+			want:    ``,
+			wantErr: true,
+		},
+		{
+			name:    "double quotes only",
+			input:   `""`,
+			want:    "",
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := parseCfTxtContent(tt.input)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("parseCfTxtContent() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("parseCfTxtContent() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/providers/cloudflare/rest.go b/providers/cloudflare/rest.go
@@ -6,13 +6,13 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/cloudflare/cloudflare-go"
-	"golang.org/x/net/idna"
-
 	"github.com/StackExchange/dnscontrol/v4/models"
 	"github.com/StackExchange/dnscontrol/v4/pkg/domaintags"
 	"github.com/StackExchange/dnscontrol/v4/pkg/rtypecontrol"
+	"github.com/StackExchange/dnscontrol/v4/pkg/txtutil"
 	"github.com/StackExchange/dnscontrol/v4/providers/cloudflare/rtypes/cfsingleredirect"
+	"github.com/cloudflare/cloudflare-go"
+	"golang.org/x/net/idna"
 )
 
 func (c *cloudflareProvider) fetchAllZones() (map[string]cloudflare.Zone, error) {
@@ -180,7 +180,7 @@ func (c *cloudflareProvider) createRecDiff2(rec *models.RecordConfig, domainID s
 	case "MX":
 		prio = fmt.Sprintf(" %d ", rec.MxPreference)
 	case "TXT":
-		content = rec.GetTargetTXTJoined()
+		content = txtutil.EncodeQuoted(rec.GetTargetTXTJoined())
 	case "DS":
 		content = fmt.Sprintf("%d %d %d %s", rec.DsKeyTag, rec.DsAlgorithm, rec.DsDigestType, rec.DsDigest)
 	}
@@ -258,7 +258,7 @@ func (c *cloudflareProvider) modifyRecord(domainID, recID string, proxied bool,
 	}
 	switch rec.Type {
 	case "TXT":
-		r.Content = rec.GetTargetTXTJoined()
+		r.Content = txtutil.EncodeQuoted(rec.GetTargetTXTJoined())
 	case "SRV":
 		r.Data = cfSrvData(rec)
 		r.Name = rec.GetLabelFQDN()

Original file line number	Diff line number	Diff line change
`@@ -11,9 +11,7 @@ import (`
`11`	`11`	`func AuditRecords(records []*models.RecordConfig) []error {`
`12`	`12`	`a := rejectif.Auditor{}`
`13`	`13`
`14`		`- a.Add("TXT", rejectif.TxtHasTrailingSpace) // Last verified 2022-06-18`
`15`		`-`
`16`		`- a.Add("TXT", rejectif.TxtIsEmpty) // Last verified 2022-06-18`
	`14`	`+ a.Add("TXT", rejectif.TxtIsEmpty) // Last verified 2026-01-21`
`17`	`15`
`18`	`16`	`return a.Audit(records)`
`19`	`17`	`}`