Publishing long domain key records in bind9

Question

I am setting up a mail system based on exim4. This system implements DKIM signing and checking (among other things). Signing seems to work without problems but checking doesn't work and exim4 complains about the syntax of my TXT records which carries my dkim public key:

2014-02-02 22:37:31 1WA5fP-0004Y4-E2 DKIM: d=middle.earth s=a9d04665528b593d263a6e5256648c99 c=relaxed/relaxed a=rsa-sha256 [invalid - syntax error in public key record]

I am using a 2048 bits long RSA key to sign my mails at the mail relay level (this works ok and I indeed have DKIM headers in the mails relayed through this server). The problem seems to be in the fact that bind (my DNS server for that zone) doesn't support records that are more than 255 characters long in the zone file. So I have chosen to split the record as shown bellow, and as described in the very trustworthy website zytrax.com:

...
a9d04665528b593d263a6e5256648c99._domainkey IN  1800 TXT    ("k=rsa,p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2/ZfhxSI/A"
                                         "bqgh0amM8ylrlosirWeKShUhq7fg12aYmRwOqq9hIzO0Fcz1BzfgHVu6HU++rC5"
                                         "QoUK0JQK/nk4jwkDgvG2di2ZYmAvEbY/VeiK1x/TG0p1Iczr2k6Bj0gEAb/YGD2"
                                         "YbwrwAi4bDXwoPsYuuNn9TB3jjyWKu/dvOsqhff1/4Wc+FkOi0ClvgrXiklN28X"
                                         "TLjyjSyU794ntIoegXxrfwcwkhfPMvuqcnhfIC0Z8L71M4WR4SoHyNHVfBtNlUv"
                                         "VNROiXlMxtxnNQvfViSwz6LC8bYIxeAba3hSXPTChKu3qZtfR0o3jFwEWAfLQdg"
                                         "Ixler0jMEoAyJmfQIDAQAB")

Complete zone file can be found here: http://pastebin.com/GDE5XA2M

With that configuration exim complains about the error above. If I try to manually resolve my dkim records here is what i get:

;; ANSWER SECTION:
a9d04665528b593d263a6e5256648c99._domainkey.middle.earth. 1800 IN TXT "k=rsa,p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2/ZfhxSI/A" "bqgh0amM8ylrlosirWeKShUhq7fg12aYmRwOqq9hIzO0Fcz1BzfgHVu6HU++rC5" "QoUK0JQK/nk4jwkDgvG2di2ZYmAvEbY/VeiK1x/TG0p1Iczr2k6Bj0gEAb/YGD2" "YbwrwAi4bDXwoPsYuuNn9TB3jjyWKu/dvOsqhff1/4Wc+FkOi0ClvgrXiklN28X" "TLjyjSyU794ntIoegXxrfwcwkhfPMvuqcnhfIC0Z8L71M4WR4SoHyNHVfBtNlUv" "VNROiXlMxtxnNQvfViSwz6LC8bYIxeAba3hSXPTChKu3qZtfR0o3jFwEWAfLQdg" "Ixler0jMEoAyJmfQIDAQAB"

That doesn't look quite right to me and I can imagine that exim gets lost with such an output. However, I am not 100% sure whether it's a normal DNS reply for such a long DNS record and exim should handle it, or if it's the way I sat up bind that is wrong.

Any help on this would be appreciated.

Thanks.

Answer 1

You are using commas to separate your key/value pairs in your record instead of semi-colons. Change it to:

a9d04665528b593d263a6e5256648c99._domainkey IN  1800 TXT (
         "k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2/ZfhxSI/A"
         "bqgh0amM8ylrlosirWeKShUhq7fg12aYmRwOqq9hIzO0Fcz1BzfgHVu6HU++rC5"
         "QoUK0JQK/nk4jwkDgvG2di2ZYmAvEbY/VeiK1x/TG0p1Iczr2k6Bj0gEAb/YGD2"
         "YbwrwAi4bDXwoPsYuuNn9TB3jjyWKu/dvOsqhff1/4Wc+FkOi0ClvgrXiklN28X"
         "TLjyjSyU794ntIoegXxrfwcwkhfPMvuqcnhfIC0Z8L71M4WR4SoHyNHVfBtNlUv"
         "VNROiXlMxtxnNQvfViSwz6LC8bYIxeAba3hSXPTChKu3qZtfR0o3jFwEWAfLQdg"
         "Ixler0jMEoAyJmfQIDAQAB")

Also, I'll note that in my particular zone file, I specifically declare the version as v=DKIM1 and I think you should too. On a side note, I do not wrap the record with ( ) because I just do it all as one long line:

record._domainkey IN 1800 TXT "v=DKIM1;blah" "blah2" "blah3"

It's a personal preference, and I realize now that yours is certainly much more readable.

Answer 2

In my case the DKIM key for google is very long. You should split it to next line after 250-255 characters like:

mail._domainkey    IN  TXT ( "v=DKIM1\; h=sha256\; k=rsa\; "     
     "p=MIIBIjANBgkqhki...."
     "cOasyifDEj0AqBEEG7XbGfP0..."
     "dM0FoPv4JsWByAgz/ywIDAQAB" )