I'm trying to enter a 4028 bit DKIM key into DNS and it seems that I'm exceeding both the UDP 512 byte limit and also the maximum record size for a TXT record.
How does someone properly create a large key (with implied larger encoded size) and import it into DNS?
You need to split them in the text field. I believe that 2048 is the practical limit for key sizes. Split the text field into parts 255 characters or less. There is overhead for each split.
There are two formats for long fields.
TXT "part one" \
"part two"
TXT ( "part one"
"part two" )
Both of which will combine as "part onepart two". More details from Zytrax.
To generate my DKIM entry I insert my public key file and wrap it in quotation marks.
My public key file contains the following:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3
q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0
ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB
After editing the key in my dns zone file appears as follows:
dkim3._domainkey IN TXT ("v=DKIM1; t=s; p="
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3"
"q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0"
"ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB")
DNS returns it as follow:
bill:~$ host -t TXT dkim3._domainkey.systemajik.com
dkim3._domainkey.systemajik.com descriptive text "v=DKIM1\; t=s\; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3" "q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0" "ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB"
DNS treats it as one long string with no extra spaces where the lines are joined. All " " sequences are ignored.
If it's Amazon Route 53 then don't use newlines (only spaces) between chunks.
"do it" "this way"
"not like"
"this"
It's not the prettiest script but it saves time and typo's on my named/bind hosts.
#!/usr/bin/env bash
pretty_dkim() {
grep DKIM1 | sed 's/.*v=DKIM/v=DKIM/' | fold -s -w76 |sed 's/^/"/g;s/$/"/g;1 s/^/(/' | tac | sed '1 s/$/)/'| tac ;
}
if [ -t 0 ]; then
cat "$1" | pretty_dkim;
else
pretty_dkim ;
fi
And if no newlines are needed you could add an | tr '\n' ' '
If you use the poweradmin UI for pdns you can just enter the whole dkim string in the input field.
v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtR3bw1Kbh1B7q4+5aWjTj2YEFwv230gcv+NMp4KouOSLdIr0mCMiwDZpY+7zCdks0zMXtz+F5TPij/NkSAxIKBbJqbIO3mvAhgeI0Vy5aQ5prwnIyXUj54po6AsXbv5Ud2tFbGSsdIhvWiC755d3WaFs8mdWFkpSxprlW6PobCzOWDayWGCvsNfHpjmTxHZinkd3TmLQqE/O6Nb1YnRwQwUCLioSyudV+5Bd2+rXZ2V9FYAOiK2aQi2aSTiUaLCVxft9H6xen3JDaKsuu43QMBrhydoJOCV2QaY82IxqE3GgZrlADu6YEOfotdwD2aA9GRwVB88GqdXL8HwgEGTbwIDAQAB;
I know this post is ancient, but I found it today when querying "DKIM 2048 bit key with UltraDNS." My DNS team had attempted to split the key into two parts with quotes around them and a space between. That was causing UltraDNS to serve up 3 packets (the one in the center was empty) which caused inconsistent validation results.
What worked for me in the UltraDNS control panel was just to submit the entire record in quotes without multiple sets of quotes, delimiters, etc. Works as expected now.
For Windows DNS Server:
It's OK if the record is greater than the UDP 512-byte limit because DNS will use TCP.
This should be transparent to the user, but sometimes buggy firewall appliances (such as Cisco PIX/ASA) will filter/block these larger queries.
If you are using MySQL/MariaDB as your DNS backend, like PowerDNS you could resize your content column.
Default PowerDNS content length is VARCHAR(255)
So your DKIM signature will be trimmed off to 255 characters
to fix this
just change the content size via the MySQL CLI / MariaDB CLI
mysql -u root -p
USE powerdns;
alter table records modify column content text not null;
restart your DNS Service (eg PowerDNS)
service pdns restart
