0

I use Ubuntu 16.04 LTS. I'm been having this annoying issue again with entering DKIM string (that long code) into my BIND's zone file. In the past (for a different domain) I used to bypass that issue by first copying the string from OpenDKIM's mail.txt file into NotepadQQ (it's a Linux version of Notepad++). In Notepad the string didn't break itself into pieces and I just pasted it into zone file and DKIM worked (and still works!) just fine.

But recently I've got a new domain and I'm trying to setup e-mail for it. So here we go again. Same story, but my workaround doesn't work this time. I did notice though that in this string that now I'm trying to enter (UNLIKE in my previous one) there are a few slashes too... Don't know if that makes any difference... I've seen online a few solutions (like to break the string with quotation marks), but frankly I don't understand how exactly to implement it in a real life... Here's the new string (that didn't work). This is the one that started to work after splitting. I also included the selector and all the rest to make the picture complete:

mail._domainkey IN TXT "v=DKIM1; k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611SadfrxRDAgOQXaNLnde9/vsuSdeL4a5uy+JcxkCsgfjRiVlD9uwZBD+KgG2SkDdZ6+OVndZk3YuOpzmSmzwQz5VXLH5Nh/o2Z3oZnn/zqWtp+eyMaKR1jnznxPNT6/DPvOEWxbNybbNtYlWdHl5qHrzF7BUQdTVV8jGFxrwIDAQAB"

And here's the complete working example from my old domain (the string that was't split):

mail._domainkey IN  TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfc9WdF2XaWAFSmhJkjPMcvHT54NiK7puywuaDMQ1jsNTp6wP2tujO1Fp2jzT5aMJOK4CWrOmu4dAg2jZ82CUzghMcIy0p1uN9ZpHfsaDbYMUekN6CkuwIWvcCxrRPJQoyAMnw7IU1QFpRIwzpGLomzNY9KeDZCBGkxH1lYXcacQIDAQAB"
papakota
  • 81
  • 1
  • 9
  • 1
    I think the problem is the `)` between the quotes and the the start of the comment (the semicolon) unless it's simply a typo on your post here. –  Jun 12 '20 at 22:52
  • p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611SadfrxRDAgOQXaNLnde9/vsuSdeL4a5uy+JcxkCsgfjRiVlD9uwZBD+KgG2SkDdZ6+OVndZk3YuOpzmSmzwQz5VXLH5Nh/o2Z3oZnn/zqWtp+eyMaKR1jnznxPNT6/DPvOEWxbNybbNtYlWdHl5qHrzF7BUQdTVV8jGFxrwIDAQAB" – papakota Jun 12 '20 at 22:58
  • 1
    That's exacly what I was trying to copy, strictly speaking.... I've edited my original post to avoid misunderstandings. – papakota Jun 12 '20 at 22:59
  • @papakota Could you also clarify in what way it does not work? If it refuses to load the zone, what is the error message? Looking at the updated example, it's not clear what is wrong. – Håkan Lindqvist Jun 13 '20 at 15:12

2 Answers2

2

One thing that makes it hard to tell what exactly was going on in your situation is how the question only includes the tail end of the record data (including a trailing "), but the beginning of the data was all missing:

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611SadfrxRDAgOQXaNLnde9/vsuSdeL4a5uy+JcxkCsgfjRiVlD9uwZBD+KgG2SkDdZ6+OVndZk3YuOpzmSmzwQz5VXLH5Nh/o2Z3oZnn/zqWtp+eyMaKR1jnznxPNT6/DPvOEWxbNybbNtYlWdHl5qHrzF7BUQdTVV8jGFxrwIDAQAB"

Complete DKIM data should be something like:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611SadfrxRDAgOQXaNLnde9/vsuSdeL4a5uy+JcxkCsgfjRiVlD9uwZBD+KgG2SkDdZ6+OVndZk3YuOpzmSmzwQz5VXLH5Nh/o2Z3oZnn/zqWtp+eyMaKR1jnznxPNT6/DPvOEWxbNybbNtYlWdHl5qHrzF7BUQdTVV8jGFxrwIDAQAB

And as the data above is just 234 bytes (less than the 255 byte limit*), you can simply write it as a TXT record like this:

foo._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611SadfrxRDAgOQXaNLnde9/vsuSdeL4a5uy+JcxkCsgfjRiVlD9uwZBD+KgG2SkDdZ6+OVndZk3YuOpzmSmzwQz5VXLH5Nh/o2Z3oZnn/zqWtp+eyMaKR1jnznxPNT6/DPvOEWxbNybbNtYlWdHl5qHrzF7BUQdTVV8jGFxrwIDAQAB"

As the beginning of the data was cut off in the question, it is hard to tell if you perhaps had other parameters in your DKIM data (other than v, k and p), or even just extraneous whitespace embedded between the parameters, which could then explain how the value you tried to fit into the TXT record might end up being >255 bytes.

But if you had for example (or a longer key, which is the more common case):

v=DKIM1; k=rsa; n=blablablablablabla; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611SadfrxRDAgOQXaNLnde9/vsuSdeL4a5uy+JcxkCsgfjRiVlD9uwZBD+KgG2SkDdZ6+OVndZk3YuOpzmSmzwQz5VXLH5Nh/o2Z3oZnn/zqWtp+eyMaKR1jnznxPNT6/DPvOEWxbNybbNtYlWdHl5qHrzF7BUQdTVV8jGFxrwIDAQAB

You would need to split it so that each string is ≤255 bytes, for example like this:

foo._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; n=blablablablablabla; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611SadfrxRDAgOQXaNLnde9/vsuSdeL4a5uy+JcxkCsgfjRiVlD9uwZBD+KgG2SkDdZ6+OVndZk3YuOpzmSmzwQz5VXLH5Nh/o2Z3oZnn/zqWtp+eyMaKR1jnznxPNT6/DPvOEWxbNybbNtYlWdHl5qHrzF7BUQdTVV8jGFxrwIDAQA" "B"

*) The reason why there are articles mentioning splitting up the string is that the character-string values of a TXT record have a maximum length of 255 bytes, however a single TXT record can have multiple such values (each up to 255 bytes).

The DKIM spec says to just split longer values into multiple strings and for DKIM clients to concatenate multiple strings before interpreting the DKIM data.

With all that background sorted out, it's not clear from your question that your value would actually be long enough for any of this to be a concern (essentially, your DKIM key is too short for any of this to be an obvious issue).

Community
  • 1
Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • I've just edited my original post to include two complete strings - the old one (non-split and working) and a new one in its non-split version, but not working) – papakota Jun 13 '20 at 15:03
1

Okay, someone's helped me to solve this issue this way (god only knows, but it works!)

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611Sad" "frxRDAgOQXaNLnde9/vsuSdeL4a5uy+JcxkCsgfjRiVlD" "9uwZBD+KgG2SkDdZ6+OVndZk3YuOpzmSmzwQz5VXLH5Nh/o2Z3oZnn/zqWtp+eyMaKR1jnznxPNT6/DPvOEWxbNybbNtYlWdHl5qHrzF7BUQdTVV8jGFxrwIDAQAB"
papakota
  • 81
  • 1
  • 9
  • 2
    I'm no god, but I do know the limitation comes from [RFC 1035, 3.3](https://tools.ietf.org/html/rfc1035#section-3.3.1) and can be overcome by using multiple strings as allowed in [3.3.14](https://tools.ietf.org/html/rfc1035#section-3.3.14). – Esa Jokinen Jun 13 '20 at 05:31
  • I just need a working solution to the problem. Something I can understand and implement in a timely manner. One could find online (incl. this site) zillions of articles and topics. It doesn't necessarily mean that I'll understand, implement and it would work in my particular case. That guy helped me and I've got a working system now. You haven't. I don't need RFC 1035. I need a working production env. That's all the difference. But thanks for letting me know! I'll look into that for sure! – papakota Jun 13 '20 at 06:10
  • p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfc9WdF2XaWAFSmhJkjPMcvHT54NiK7puywuaDMQ1jsNTp6wP2tujO1Fp2jzT5aMJOK4CWrOmu4dAg2jZ82CUzghMcIy0p1uN9ZpHfsaDbYMUekN6CkuwIWvcCxrRPJQoyAMnw7IU1QFpRIwzpGLomzNY9KeDZCBGkxH1lYXcacQIDAQAB" Here's my previous configuration in a zone file of another domain. Works fine without any multiple strings. How do you explain that then? If accodring to RFC it shouldn't be working...? – papakota Jun 13 '20 at 06:22