25

I'm trying to enter a 4028 bit DKIM key into DNS and it seems that I'm exceeding both the UDP 512 byte limit and also the maximum record size for a TXT record.

How does someone properly create a large key (with implied larger encoded size) and import it into DNS?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196
  • Need more detail; what is the DNS server software? – JGurtz Apr 04 '11 at 18:54
  • 1
    Have you carefully considered your key size? The RFC states: "Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys." So your long key may not get verified. – HTTP500 Apr 04 '11 at 19:11
  • @JGurtz We are using "UltraDNS" it's a hosted service. – makerofthings7 Apr 04 '11 at 19:48
  • @Jason - We can do 2048, but I think that bit length may exceed the UDP packet limit. – makerofthings7 Apr 04 '11 at 19:48
  • 1
    Perhaps you should consider that the problems you create through the use of an unusually long key far outweigh the advantages you hope to gain from it. – John Gardeniers Apr 05 '11 at 00:45
  • @John - I've already come to that conclusion; and this is becoming academic at this point. The solution may become useful to someone, perhaps in the future where 2048 keys are easily broken/brute forced. – makerofthings7 Apr 05 '11 at 03:34
  • @makerofthings7, hopefully by then longer keys will be better supported. – John Gardeniers Apr 05 '11 at 04:19

7 Answers7

36

You need to split them in the text field. I believe that 2048 is the practical limit for key sizes. Split the text field into parts 255 characters or less. There is overhead for each split.

There are two formats for long fields.

TXT  "part one" \
     "part two"
TXT ( "part one"
      "part two" )

Both of which will combine as "part onepart two". More details from Zytrax.

To generate my DKIM entry I insert my public key file and wrap it in quotation marks.
My public key file contains the following:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3
q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0
ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB

After editing the key in my dns zone file appears as follows:

dkim3._domainkey        IN      TXT     ("v=DKIM1; t=s; p=" 
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3"
"q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0"
"ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB")

DNS returns it as follow:

 bill:~$ host -t TXT dkim3._domainkey.systemajik.com
 dkim3._domainkey.systemajik.com descriptive text "v=DKIM1\; t=s\; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3" "q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0" "ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB"

DNS treats it as one long string with no extra spaces where the lines are joined. All " " sequences are ignored.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Can you give a example? for this I can't figure out how to make it clear what part 1 and part 2 is.... #threadnecro – janw Jul 17 '13 at 11:28
  • 1
    @janw I've added one of my keys as an example. This key is only 1024 bits. – BillThor Jul 18 '13 at 00:34
  • 5
    Tnx for the quick reply. But this key fits in a 255 key. So I still don't get how you split it into multiple keys. – janw Jul 18 '13 at 07:30
  • 2
    It is not DNS that ignores the `" "` sequences and you actually prove that in your last quote. It is [SPF RFC 4408](https://www.ietf.org/rfc/rfc4408.txt) section 3.1.3 which defines that concatenation should be used by applications reading the DNS records for SPF validation. – Phil Mar 08 '16 at 08:29
  • to elaborate on what @Phil_1984_ said - whether the individual 255 character fields within a TXT record are directly concatenated or e.g. joined with spaces is application specific. As far as the DNS is concerned it's just data. – Alnitak May 09 '17 at 14:36
  • 3
    @Alnitak The applicable RFC for this case is https://tools.ietf.org/html/rfc6376#section-3.6. Strings are concatenated without spaces between them. SPF and other formats follow the same rules allowing breaks to be placed at arbitrary locations. This can be done for readability or to limit record size. – BillThor May 10 '17 at 03:09
3

If it's Amazon Route 53 then don't use newlines (only spaces) between chunks.

"do it" "this way"

"not like"
"this"

See https://serverfault.com/a/763871/80856

Messa
  • 219
  • 3
  • 8
1

It's not the prettiest script but it saves time and typo's on my named/bind hosts.

#!/usr/bin/env bash
pretty_dkim() {
  grep DKIM1 | sed 's/.*v=DKIM/v=DKIM/' | fold -s -w76 |sed 's/^/"/g;s/$/"/g;1 s/^/(/' | tac | sed '1 s/$/)/'| tac ;
}
if [ -t 0 ]; then 
  cat "$1" | pretty_dkim;
else
  pretty_dkim ;
fi

And if no newlines are needed you could add an | tr '\n' ' '

crpb
  • 51
  • 4
1

If you use the poweradmin UI for pdns you can just enter the whole dkim string in the input field.

v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtR3bw1Kbh1B7q4+5aWjTj2YEFwv230gcv+NMp4KouOSLdIr0mCMiwDZpY+7zCdks0zMXtz+F5TPij/NkSAxIKBbJqbIO3mvAhgeI0Vy5aQ5prwnIyXUj54po6AsXbv5Ud2tFbGSsdIhvWiC755d3WaFs8mdWFkpSxprlW6PobCzOWDayWGCvsNfHpjmTxHZinkd3TmLQqE/O6Nb1YnRwQwUCLioSyudV+5Bd2+rXZ2V9FYAOiK2aQi2aSTiUaLCVxft9H6xen3JDaKsuu43QMBrhydoJOCV2QaY82IxqE3GgZrlADu6YEOfotdwD2aA9GRwVB88GqdXL8HwgEGTbwIDAQAB;
user5994461
  • 2,749
  • 1
  • 17
  • 30
1

I know this post is ancient, but I found it today when querying "DKIM 2048 bit key with UltraDNS." My DNS team had attempted to split the key into two parts with quotes around them and a space between. That was causing UltraDNS to serve up 3 packets (the one in the center was empty) which caused inconsistent validation results.

What worked for me in the UltraDNS control panel was just to submit the entire record in quotes without multiple sets of quotes, delimiters, etc. Works as expected now.

0

It's OK if the record is greater than the UDP 512-byte limit because DNS will use TCP.

This should be transparent to the user, but sometimes buggy firewall appliances (such as Cisco PIX/ASA) will filter/block these larger queries.

JGurtz
  • 523
  • 5
  • 13
-1

If you are using MySQL/MariaDB as your DNS backend, like PowerDNS you could resize your content column.

Default PowerDNS content length is VARCHAR(255)

So your DKIM signature will be trimmed off to 255 characters

to fix this

just change the content size via the MySQL CLI / MariaDB CLI

mysql -u root -p

USE powerdns;
alter table records modify column content text not null;

restart your DNS Service (eg PowerDNS)

service pdns restart
webmaster
  • 99
  • 2