How do I enter a strong (long) DKIM key into DNS?

domain-name-system email dkim domainkeys

49,399

Solution 1

You need to split them in the text field. I believe that 2048 is the practical limit for key sizes. Split the text field into parts 255 characters or less. There is overhead for each split.

There are two formats for long fields.

TXT  "part one" \
     "part two"

TXT ( "part one"
      "part two" )

Both of which will combine as "part onepart two". More details from Zytrax.

To generate my DKIM entry I insert my public key file and wrap it in quotation marks.
My public key file contains the following:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3
q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0
ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB

After editing the key in my dns zone file appears as follows:

dkim3._domainkey        IN      TXT     ("v=DKIM1; t=s; p=" 
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3"
"q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0"
"ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB")

DNS returns it as follow:

 bill:~$ host -t TXT dkim3._domainkey.systemajik.com
 dkim3._domainkey.systemajik.com descriptive text "v=DKIM1\; t=s\; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3" "q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0" "ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB"

DNS treats it as one long string with no extra spaces where the lines are joined. All " " sequences are ignored.

Solution 2

If it's Amazon Route 53 then don't use newlines (only spaces) between chunks.

"do it" "this way"

"not like"
"this"

See https://serverfault.com/a/763871/80856

Solution 3

I know this post is ancient, but I found it today when querying "DKIM 2048 bit key with UltraDNS." My DNS team had attempted to split the key into two parts with quotes around them and a space between. That was causing UltraDNS to serve up 3 packets (the one in the center was empty) which caused inconsistent validation results.

What worked for me in the UltraDNS control panel was just to submit the entire record in quotes without multiple sets of quotes, delimiters, etc. Works as expected now.

Solution 4

It's not the prettiest script but it saves time and typo's on my named/bind hosts.

#!/usr/bin/env bash
pretty_dkim() {
  grep DKIM1 | sed 's/.*v=DKIM/v=DKIM/' | fold -s -w76 |sed 's/^/"/g;s/$/"/g;1 s/^/(/' | tac | sed '1 s/$/)/'| tac ;
}
if [ -t 0 ]; then 
  cat "$1" | pretty_dkim;
else
  pretty_dkim ;
fi

And if no newlines are needed you could add an | tr '\n' ' '

Solution 5

If you use the poweradmin UI for pdns you can just enter the whole dkim string in the input field.

v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtR3bw1Kbh1B7q4+5aWjTj2YEFwv230gcv+NMp4KouOSLdIr0mCMiwDZpY+7zCdks0zMXtz+F5TPij/NkSAxIKBbJqbIO3mvAhgeI0Vy5aQ5prwnIyXUj54po6AsXbv5Ud2tFbGSsdIhvWiC755d3WaFs8mdWFkpSxprlW6PobCzOWDayWGCvsNfHpjmTxHZinkd3TmLQqE/O6Nb1YnRwQwUCLioSyudV+5Bd2+rXZ2V9FYAOiK2aQi2aSTiUaLCVxft9H6xen3JDaKsuu43QMBrhydoJOCV2QaY82IxqE3GgZrlADu6YEOfotdwD2aA9GRwVB88GqdXL8HwgEGTbwIDAQAB;

View more solutions

49,399

Juanjo Daza

Updated on September 18, 2022

Comments

Juanjo Daza almost 2 years

I'm trying to enter a 4028 bit DKIM key into DNS and it seems that I'm exceeding both the UDP 512 byte limit and also the maximum record size for a TXT record.

How does someone properly create a large key (with implied larger encoded size) and import it into DNS?
- HTTP500 about 13 years
  
  Have you carefully considered your key size? The RFC states: "Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys." So your long key may not get verified.
- Juanjo Daza about 13 years
  
  @JGurtz We are using "UltraDNS" it's a hosted service.
- Juanjo Daza about 13 years
  
  @Jason - We can do 2048, but I think that bit length may exceed the UDP packet limit.
- John Gardeniers about 13 years
  
  Perhaps you should consider that the problems you create through the use of an unusually long key far outweigh the advantages you hope to gain from it.
- Juanjo Daza about 13 years
  
  @John - I've already come to that conclusion; and this is becoming academic at this point. The solution may become useful to someone, perhaps in the future where 2048 keys are easily broken/brute forced.
janw almost 11 years

Can you give a example? for this I can't figure out how to make it clear what part 1 and part 2 is.... #threadnecro
BillThor almost 11 years

@janw I've added one of my keys as an example. This key is only 1024 bits.
janw almost 11 years

Tnx for the quick reply. But this key fits in a 255 key. So I still don't get how you split it into multiple keys.
Phil over 8 years

It is not DNS that ignores the " " sequences and you actually prove that in your last quote. It is SPF RFC 4408 section 3.1.3 which defines that concatenation should be used by applications reading the DNS records for SPF validation.
Alnitak about 7 years

to elaborate on what @Phil_1984_ said - whether the individual 255 character fields within a TXT record are directly concatenated or e.g. joined with spaces is application specific. As far as the DNS is concerned it's just data.
BillThor about 7 years

@Alnitak The applicable RFC for this case is tools.ietf.org/html/rfc6376#section-3.6. Strings are concatenated without spaces between them. SPF and other formats follow the same rules allowing breaks to be placed at arbitrary locations. This can be done for readability or to limit record size.
Vadim about 4 years

This also worked for me for DNS Made Easy.