DKIM signatures exceeds the maximum string length allowed in DNS (254 chars)

Hi @stephdl

Not really a bug, more an improvement suggestion.

I discovered the hard way that it is mandatory to split the DKIM string in two parts because the entire DKIM signatures exceeds the maximum string length allowed in DNS (254 chars)

I suggest to implement this directly into the UI to guide the wanna be system admin like me :slight_smile:

The correct way is doing it like this : (notice the double quotes)

default._domainKey IN TXT "v=DKIM1; k=rsa; p=FAKEDKIMSTRINGqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1aWbHuwQ4DkyFHQyx/N+w6Ll6YujuPcXnxZPXfezfzfzefzeaAWRrilWv8R94QTxBc5eB12Nz1a/IfUBIS/U9U9Tlme4gBRqvRbaFe/YvsqxUTnG8e+nMk6aPWKuRQZmaulhSlUXH69pmKJMhkBUzGsPVDuGnfS/qi5LldCOpnz/el5H0Q7NynLDMU10MdEzd/j" "qzMHCWpPNK0KJafKh9PjEVfWDB54+gyye7JJeo+uYTEmHCeuMtW+QXOBmQ/80Twcm8JXahDK/Gufd2B7/LwArptXkBF9fxQ5rKDM9kZSw6KAf/vmLpQmlnH6dbqMqlNuD8z7GcMFRqOHYQK70bC6ewIDAQAB"



Yes I had the same idea too…

However the syntax depends on your DNS provider. For instance, on DigitalOcean they accept the entire string.

For those that still require a manual cut/paste, I found the cut -b command really useful!

For instance:

 echo longstring | cut -b 1-255
 echo longstring | cut -b 256-
1 Like

Ok. However I suppose that it wouldn’t hurt to separate the strings like I showed even on digital ocean.

It does not work

Oh :frowning:

That’s strange. That’s an RFC code of conduct :

1 Like

It seems to depend on the DNS implementation: the splitted syntax must be considered equivalent to a concatenated string

yes each dns provider imposes his default :frowning:

The TXT string max length is clearly limited to 255 chars as per the RFC 1035 :

Whatever, mentioning this in the UI wouldn’t hurt :slight_smile:

I think the RFC specs are not meaningful here, because the goal is conveying how to set up the DKIM DNS record in a generic DNS provider, something that is out of NethServer. We don’t know what are the requirements of the DNS provider user interface, we can only expect that in the end a DNS TXT record is configured.

I agree on this. We learned that there are two classes of providers:

  1. (Richly implemented) DNS providers that accept a value of arbitrary length and transform it to a RFC compliant DNS TXT record
  2. (Poorly implemented) DNS providers that expect the user to provide RFC compliant chunks of 255 octets at maximum

What we could do is providing the record values in both forms, to ease the cut/paste operations. The first form is provided by the current UI in a text area:



Add a text label under it with a text area where each line corresponds to a chunk of text of 255 chars max:

Alternative RDATA syntax with quoted chunks of 255 chars at max
|"v=DKIM1; .... nLDMU10MdEzd/j"                         | 
|"qzMHCWpPNK0KJafK ...  bC6ewIDAQAB"                    | 
|                                                       | 
  • Is “quoted” a good idea? Or is it better to print the chunk without quotes?
  • If we go with quotes, are round brackets needed too around before the first and after the last chunk?
1 Like

FWIW I agree.

Or add a text area for every 255chars chunk.
Not that smooth for design but quite clear for avoiding mistakes.
On the other side, whatever is being choosen as chunk surrounding char, should be clearly stated in box description.

1 Like

If we have to print the dkim key by another way, I would like to follow the raw format of the key you can find at /etc/opendkim/keys/default.txt

# cat /etc/opendkim/keys/default.txt	IN	TXT	( "v=DKIM1; k=rsa; "
	  "bis74HlMNWfwjhJmcz3z1zMnNKHsDSaQfLplDBi5c3gZFG8hJ7mBVA1fGZHD4SeDv5mSYQrBgFT5Hgij67eSmYtZ5GcMPyn7q3aobCDXHvWVTFQD1x5SNIJohYTBuPQ7SfRNs17QIDAQAB" )  ; ----- DKIM key for
1 Like

Do you have a shiny screenshot?


Thanks Steph, I believe this is exactly what we need.

In my case (OVH) I’m able to edit directly the DNS entries in raw format and this field would allow me to copy paste directly the DKIM entries.


As the procedures and syntaxes are mutually exclusive, I’d like to use an accordion

The jqueryui version in Nethgui is quite old: 1.8…

not exclusive but complementary, However I would like to create a key without the domain name as key selector. Unfortunately it will be good only for new keys

I speak too fast, my keys was pobably created at early stage, when I create a key manually the selector is as default in the default.txt

[root@prometheus ~]# cat default.txt 
default._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
	  "Va6ar+JWxL/ULCIKQtzspJTLUtZuCqu/eZyBSqHL2VchdbZfOITWHK1f4DPQZkPvbnRNDc0b1GxWbM0M1wtNO8KHi4A7Z/34+G0FN0ly8491mTJNswuDKeDuMJcl4qjoobn5y/UQIDAQAB" )  ; ----- DKIM key default for

how to integrate it in nethgui ?