How do I enter a strong (long) DKIM key into DNS?
Solution 1
You need to split them in the text field. I believe that 2048 is the practical limit for key sizes. Split the text field into parts 255 characters or less. There is overhead for each split.
There are two formats for long fields.
TXT "part one" \
"part two"
TXT ( "part one"
"part two" )
Both of which will combine as "part onepart two". More details from Zytrax.
To generate my DKIM entry I insert my public key file and wrap it in quotation marks.
My public key file contains the following:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3
q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0
ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB
After editing the key in my dns zone file appears as follows:
dkim3._domainkey IN TXT ("v=DKIM1; t=s; p="
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3"
"q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0"
"ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB")
DNS returns it as follow:
bill:~$ host -t TXT dkim3._domainkey.systemajik.com
dkim3._domainkey.systemajik.com descriptive text "v=DKIM1\; t=s\; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD78Ki2d0zmOlmjYNDC7eLG3af12KrjmPDeYRr3" "q9MGquKRkRFlY+Alq4vMxnp5pZ7lDaAXXwLYjN91YY7ARbCEpqapA9Asl854BCHMA7L+nvk9kgC0" "ovLlGvg+hhqIPqwLNI97VSRedE60eS+CwcShamHTMOXalq2pOUw7anuenQIDAQAB"
DNS treats it as one long string with no extra spaces where the lines are joined. All " "
sequences are ignored.
Solution 2
If it's Amazon Route 53 then don't use newlines (only spaces) between chunks.
"do it" "this way"
"not like"
"this"
See https://serverfault.com/a/763871/80856
Solution 3
I know this post is ancient, but I found it today when querying "DKIM 2048 bit key with UltraDNS." My DNS team had attempted to split the key into two parts with quotes around them and a space between. That was causing UltraDNS to serve up 3 packets (the one in the center was empty) which caused inconsistent validation results.
What worked for me in the UltraDNS control panel was just to submit the entire record in quotes without multiple sets of quotes, delimiters, etc. Works as expected now.
Solution 4
It's not the prettiest script but it saves time and typo's on my named/bind hosts.
#!/usr/bin/env bash
pretty_dkim() {
grep DKIM1 | sed 's/.*v=DKIM/v=DKIM/' | fold -s -w76 |sed 's/^/"/g;s/$/"/g;1 s/^/(/' | tac | sed '1 s/$/)/'| tac ;
}
if [ -t 0 ]; then
cat "$1" | pretty_dkim;
else
pretty_dkim ;
fi
And if no newlines are needed you could add an | tr '\n' ' '
Solution 5
If you use the poweradmin UI for pdns you can just enter the whole dkim string in the input field.
v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtR3bw1Kbh1B7q4+5aWjTj2YEFwv230gcv+NMp4KouOSLdIr0mCMiwDZpY+7zCdks0zMXtz+F5TPij/NkSAxIKBbJqbIO3mvAhgeI0Vy5aQ5prwnIyXUj54po6AsXbv5Ud2tFbGSsdIhvWiC755d3WaFs8mdWFkpSxprlW6PobCzOWDayWGCvsNfHpjmTxHZinkd3TmLQqE/O6Nb1YnRwQwUCLioSyudV+5Bd2+rXZ2V9FYAOiK2aQi2aSTiUaLCVxft9H6xen3JDaKsuu43QMBrhydoJOCV2QaY82IxqE3GgZrlADu6YEOfotdwD2aA9GRwVB88GqdXL8HwgEGTbwIDAQAB;
Related videos on Youtube
![Juanjo Daza](https://i.stack.imgur.com/xWg19.png?s=256&g=1)
Juanjo Daza
Updated on September 18, 2022Comments
-
Juanjo Daza almost 2 years
I'm trying to enter a 4028 bit DKIM key into DNS and it seems that I'm exceeding both the UDP 512 byte limit and also the maximum record size for a TXT record.
How does someone properly create a large key (with implied larger encoded size) and import it into DNS?
-
HTTP500 about 13 yearsHave you carefully considered your key size? The RFC states: "Verifiers MUST be able to validate signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able to validate signatures with larger keys." So your long key may not get verified.
-
Juanjo Daza about 13 years@JGurtz We are using "UltraDNS" it's a hosted service.
-
Juanjo Daza about 13 years@Jason - We can do 2048, but I think that bit length may exceed the UDP packet limit.
-
John Gardeniers about 13 yearsPerhaps you should consider that the problems you create through the use of an unusually long key far outweigh the advantages you hope to gain from it.
-
Juanjo Daza about 13 years@John - I've already come to that conclusion; and this is becoming academic at this point. The solution may become useful to someone, perhaps in the future where 2048 keys are easily broken/brute forced.
-
-
janw almost 11 yearsCan you give a example? for this I can't figure out how to make it clear what part 1 and part 2 is.... #threadnecro
-
BillThor almost 11 years@janw I've added one of my keys as an example. This key is only 1024 bits.
-
janw almost 11 yearsTnx for the quick reply. But this key fits in a 255 key. So I still don't get how you split it into multiple keys.
-
Phil over 8 yearsIt is not DNS that ignores the
" "
sequences and you actually prove that in your last quote. It is SPF RFC 4408 section 3.1.3 which defines that concatenation should be used by applications reading the DNS records for SPF validation. -
Alnitak about 7 yearsto elaborate on what @Phil_1984_ said - whether the individual 255 character fields within a TXT record are directly concatenated or e.g. joined with spaces is application specific. As far as the DNS is concerned it's just data.
-
BillThor about 7 years@Alnitak The applicable RFC for this case is tools.ietf.org/html/rfc6376#section-3.6. Strings are concatenated without spaces between them. SPF and other formats follow the same rules allowing breaks to be placed at arbitrary locations. This can be done for readability or to limit record size.
-
Vadim about 4 yearsThis also worked for me for
DNS Made Easy
.