kpfleming · kpfleming · Nov 13, 2025 · Nov 13, 2025 · Nov 14, 2025 · Nov 15, 2025
diff --git a/.github/workflows/delete-pr-image.yml b/.github/workflows/delete-pr-image.yml
@@ -14,7 +14,7 @@ jobs:
     - id: details
       uses: kpfleming/composite-actions/image-details@v3
       with:
-        base_image: python:trixie-main
+        base_image: python:v4-trixie-main
     - uses: kpfleming/composite-actions/delete-pr-image@v3
       with:
         image_registry: ${{ steps.details.outputs.image_registry }}

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -20,7 +20,7 @@ jobs:
     - id: details
       uses: kpfleming/composite-actions/image-details@v3
       with:
-        base_image: python:trixie-main
+        base_image: python:v4-trixie-main
     - id: preflight
       uses: kpfleming/composite-actions/lint-preflight@v3
       with:

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -17,7 +17,7 @@ jobs:
     - id: details
       uses: kpfleming/composite-actions/image-details@v3
       with:
-        base_image: python:trixie-main
+        base_image: python:v4-trixie-main
   publish_galaxy:
     runs-on: ubuntu-24.04-arm
     outputs:

diff --git a/README.md b/README.md
@@ -40,6 +40,7 @@ requirements file will need to be installed there:
   ansible.builtin.pip:
     name:
       - bravado
+      - dnspython
       - jsonschema<4
       - swagger-spec-validator==2.6.0
 ```

diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,4 @@
 bravado
+dnspython
 jsonschema<4
 swagger-spec-validator==2.6.0
diff --git a/src/plugins/module_utils/dns_helpers.py b/src/plugins/module_utils/dns_helpers.py
@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2025 Kevin P. Fleming <[email protected]>
+# SPDX-License-Identifier: Apache-2.0
+# -*- coding: utf-8 -*-
+
+import dns.exception
+import dns.name
+
+
+class DNSNameError(Exception):
+    """The supplied DNS name was not valid."""
+
+    def __init__(self, name, location, e):
+        super().__init__(f"Invalid DNS name in '{location}': {name} - {e}")
+
+
+def validate_dns_name(name, location):
+    try:
+        return dns.name.from_text(name).to_text()
+    except dns.exception.DNSException as e:
+        raise DNSNameError(name, location, e) from None
diff --git a/src/plugins/modules/cryptokey.py b/src/plugins/modules/cryptokey.py
@@ -9,6 +9,7 @@
 
 from ..module_utils.api_module_args import API_MODULE_ARGS
 from ..module_utils.api_wrapper import APICryptokeyWrapper, APIZoneWrapper
+from ..module_utils.dns_helpers import validate_dns_name
 
 assert sys.version_info >= (3, 10), "This module requires Python 3.9 or newer."
 
@@ -25,6 +26,7 @@
 
 requirements:
   - bravado
+  - dnspython
 
 extends_documentation_fragment:
   - kpfleming.powerdns_auth.api_details
@@ -248,8 +250,10 @@ def main():
     result = {"changed": False, "cryptokeys": []}
 
     params = module.params
+
     state = params["state"]
-    zone_name = params["zone_name"]
+
+    zone_name = validate_dns_name(params["zone_name"], "zone_name")
 
     api_zone_client = APIZoneWrapper(
         module=module, result=result, object_type="zones", zone_id=None

diff --git a/src/plugins/modules/rrset.py b/src/plugins/modules/rrset.py
@@ -25,6 +25,7 @@
 
 requirements:
   - bravado
+  - dnspython
 
 extends_documentation_fragment:
   - kpfleming.powerdns_auth.api_details

diff --git a/src/plugins/modules/tsigkey.py b/src/plugins/modules/tsigkey.py
@@ -160,13 +160,15 @@ def main():
 
     module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
 
-    state = module.params["state"]
-    key = module.params["name"]
-
     result = {
         "changed": False,
     }
 
+    params = module.params
+
+    state = params["state"]
+    name = params["name"]
+
     if module.check_mode:
         module.exit_json(**result)
 
@@ -176,13 +178,12 @@ def main():
     # predictable exceptions
     api_client = APITSIGKeyWrapper(module=module, result=result, object_type="tsigkey")
 
-    result["key"] = {"name": key, "exists": False}
+    result["key"] = {"name": name, "exists": False}
 
     # first step is to get information about the key, if it exists
     # this is required to translate the user-friendly key name into
     # the key_id required for subsequent API calls
-
-    partial_key_info = [k for k in api_client.listTSIGKeys() if k["name"] == key]
+    partial_key_info = [k for k in api_client.listTSIGKeys() if k["name"] == name]
 
     if len(partial_key_info) == 0:
         if state in ("exists", "absent"):
@@ -214,12 +215,12 @@ def main():
     if not key_id:
         # create the requested key
         key_struct = {
-            "name": key,
-            "algorithm": module.params["algorithm"],
+            "name": name,
+            "algorithm": params["algorithm"],
         }
 
-        if module.params["key"]:
-            key_struct["key"] = module.params["key"]
+        if params["key"]:
+            key_struct["key"] = params["key"]
 
         key_info = api_client.createTSIGKey(tsigkey=key_struct)
         result["changed"] = True
@@ -231,10 +232,10 @@ def main():
         # options and update it if necessary
         key_struct = {}
 
-        if (mod_alg := module.params["algorithm"]) and mod_alg != key_info["algorithm"]:
+        if (mod_alg := params["algorithm"]) and mod_alg != key_info["algorithm"]:
             key_struct["algorithm"] = mod_alg
 
-        if (mod_key := module.params["key"]) and mod_key != key_info["key"]:
+        if (mod_key := params["key"]) and mod_key != key_info["key"]:
             key_struct["key"] = mod_key
 
         if key_struct: