DKIM signatures exceeds the maximum string length allowed in DNS (254 chars)

dkim
mail

(Matthieu Gaillet) #1

Hi @stephdl

Not really a bug, more an improvement suggestion.

I discovered the hard way that it is mandatory to split the DKIM string in two parts because the entire DKIM signatures exceeds the maximum string length allowed in DNS (254 chars)

I suggest to implement this directly into the UI to guide the wanna be system admin like me :slight_smile:

The correct way is doing it like this : (notice the double quotes)

default._domainKey IN TXT "v=DKIM1; k=rsa; p=FAKEDKIMSTRINGqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1aWbHuwQ4DkyFHQyx/N+w6Ll6YujuPcXnxZPXfezfzfzefzeaAWRrilWv8R94QTxBc5eB12Nz1a/IfUBIS/U9U9Tlme4gBRqvRbaFe/YvsqxUTnG8e+nMk6aPWKuRQZmaulhSlUXH69pmKJMhkBUzGsPVDuGnfS/qi5LldCOpnz/el5H0Q7NynLDMU10MdEzd/j" "qzMHCWpPNK0KJafKh9PjEVfWDB54+gyye7JJeo+uYTEmHCeuMtW+QXOBmQ/80Twcm8JXahDK/Gufd2B7/LwArptXkBF9fxQ5rKDM9kZSw6KAf/vmLpQmlnH6dbqMqlNuD8z7GcMFRqOHYQK70bC6ewIDAQAB"

Cheers

Matthieu


(Davide Principi) #2

Yes I had the same idea too…

However the syntax depends on your DNS provider. For instance, on DigitalOcean they accept the entire string.

For those that still require a manual cut/paste, I found the cut -b command really useful!

For instance:

 echo longstring | cut -b 1-255
 echo longstring | cut -b 256-

(Matthieu Gaillet) #3

Ok. However I suppose that it wouldn’t hurt to separate the strings like I showed even on digital ocean.


(Davide Principi) #4

It does not work


(Matthieu Gaillet) #5

Oh :frowning:


(Matthieu Gaillet) #6

That’s strange. That’s an RFC code of conduct : https://tools.ietf.org/html/rfc4408#section-3.1.3


(Davide Principi) #7

It seems to depend on the DNS implementation: the splitted syntax must be considered equivalent to a concatenated string


(Stéphane de Labrusse) #8

yes each dns provider imposes his default :frowning:


(Matthieu Gaillet) #9

The TXT string max length is clearly limited to 255 chars as per the RFC 1035 :
https://tools.ietf.org/html/rfc1035#section-2.3.4

Whatever, mentioning this in the UI wouldn’t hurt :slight_smile:


(Davide Principi) #10

I think the RFC specs are not meaningful here, because the goal is conveying how to set up the DKIM DNS record in a generic DNS provider, something that is out of NethServer. We don’t know what are the requirements of the DNS provider user interface, we can only expect that in the end a DNS TXT record is configured.

I agree on this. We learned that there are two classes of providers:

  1. (Richly implemented) DNS providers that accept a value of arbitrary length and transform it to a RFC compliant DNS TXT record
  2. (Poorly implemented) DNS providers that expect the user to provide RFC compliant chunks of 255 octets at maximum

What we could do is providing the record values in both forms, to ease the cut/paste operations. The first form is provided by the current UI in a text area:

image

Proposal

Add a text label under it with a text area where each line corresponds to a chunk of text of 255 chars max:

Alternative RDATA syntax with quoted chunks of 255 chars at max
+-------------------------------------------------------+
|"v=DKIM1; .... nLDMU10MdEzd/j"                         | 
|"qzMHCWpPNK0KJafK ...  bC6ewIDAQAB"                    | 
|                                                       | 
+-------------------------------------------------------+
  • Is “quoted” a good idea? Or is it better to print the chunk without quotes?
  • If we go with quotes, are round brackets needed too around before the first and after the last chunk?

(Michael Kicks) #11

FWIW I agree.

Or add a text area for every 255chars chunk.
Not that smooth for design but quite clear for avoiding mistakes.
On the other side, whatever is being choosen as chunk surrounding char, should be clearly stated in box description.


(Stéphane de Labrusse) #12

If we have to print the dkim key by another way, I would like to follow the raw format of the key you can find at /etc/opendkim/keys/default.txt

# cat /etc/opendkim/keys/default.txt 
de-labrusse.fr._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
	  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnDHXY9axEEi2mNiPJarErUkCdnuCIo3pLidherVt+6z6NHrB/Fwc2BWwK97qH9APzbo4cBhm/wtbXAiRnNlcTBMkG4P4lm09a/dR6spVsJ72QMrr+V5M04sLQ+76Ru4K6Pj4iyHJmBlAvORS3v4tpoZgXipi4o9qmbPvcT7JzXucICZ6q5gSKuyQRrKlZKL55TR7GWTCJ6VVLh"
	  "bis74HlMNWfwjhJmcz3z1zMnNKHsDSaQfLplDBi5c3gZFG8hJ7mBVA1fGZHD4SeDv5mSYQrBgFT5Hgij67eSmYtZ5GcMPyn7q3aobCDXHvWVTFQD1x5SNIJohYTBuPQ7SfRNs17QIDAQAB" )  ; ----- DKIM key de-labrusse.fr for de-labrusse.fr

(Stéphane de Labrusse) #13

(Davide Principi) #14

Do you have a shiny screenshot?


(Stéphane de Labrusse) #15


(Matthieu Gaillet) #16

Thanks Steph, I believe this is exactly what we need.

In my case (OVH) I’m able to edit directly the DNS entries in raw format and this field would allow me to copy paste directly the DKIM entries.

–> THANKS !


(Davide Principi) #17

As the procedures and syntaxes are mutually exclusive, I’d like to use an accordion

https://api.jqueryui.com/1.8/accordion/#entry-examples

The jqueryui version in Nethgui is quite old: 1.8…


(Stéphane de Labrusse) #18

not exclusive but complementary, However I would like to create a key without the domain name as key selector. Unfortunately it will be good only for new keys


(Stéphane de Labrusse) #19

I speak too fast, my keys was pobably created at early stage, when I create a key manually the selector is as default in the default.txt

[root@prometheus ~]# cat default.txt 
default._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
	  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv7unYCLWAIr6C8aefZYWtL921A9+mZwaapHZtDFF1B/pKS9qX6PWghruzd8SPTxS7X3rGsABYb6Vf8ZoaoE2iH+7yr2Ta2NxrBdJTjCqFizqeSh2MdzPNB120PlKLUHpdkVKLK8PFNZwAM1X4PMMovRlQy05xgmoZg1zpzqnFTh2yt4MK95DOSK2JIiix2Mt/BDS7BwpaMr+OV"
	  "Va6ar+JWxL/ULCIKQtzspJTLUtZuCqu/eZyBSqHL2VchdbZfOITWHK1f4DPQZkPvbnRNDc0b1GxWbM0M1wtNO8KHi4A7Z/34+G0FN0ly8491mTJNswuDKeDuMJcl4qjoobn5y/UQIDAQAB" )  ; ----- DKIM key default for de-labrusse.fr

(Stéphane de Labrusse) #20

how to integrate it in nethgui ?