How to correctly split a DKIM txt dns entry?

gcb

8/17/24, 8:49 PM

many questions here on spliting DKIM txt records, but my dns provider only allows 255 chars for each key. no fancy way to enter multiple values like the other platforms mentioned all the other questions.

I went ahead and entered multiple TXT entries with the same name:

entry    type   value
[z._domainkey] [TXT] [v=DKIM1;k=rsa;...]
[z._domainkey] [TXT] [...restofkey]

which does show on my queries, but sometimes out of order:

$ drill txt z._domainkey.example.com.
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7181
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; z._domainkey.example.com.       IN      TXT

;; ANSWER SECTION:
z._domainkey.example.com.  1796    IN      TXT     "v=DKIM1;k=rsa;"
z._domainkey.example.com.  1796    IN      TXT     "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh957KTmtf+f1GCrdVKydz2x0NDs1Cx/g/AYIlx2QcyOpXzd3DNC8saykKjfwYEIGq47UdnLQdJztINPu5QsphwSnpQiGqV28EltNp1poNNeUwSno7vrUTQI44vkD7OosCh+yLVD5AWCqxOr0l4C6kp2UuXvEc6zANPQrbOuVABm"
z._domainkey.example.com.  1796    IN      TXT     "Gf2nLFvcR4iswFC3JpLOdZr259BelASlU2WApIeDK/a8Qo096WzpFCeFtamIxZFkeHdCSmrS7zrtDrxxvXzYhXIFharkWeY5cXKzZ7vUGR14Zie9gzNzoz5NoibngkBH6dw5C70lU5ynVwx+/U+TCEKOZu1X9K/ZC5/1NrsW83QIDAQAB"

(already tried to split right on the middle, in 64bytes like base64 usually is, using online splitter tools, in two, 3 and 4 pieces. all give the same end result)

all validators (including the one from my MX handler) says that is invalid.

Is there anything else i have to do to split the values? do i have to repeat the p= part or something else? how DNS clients know the order to concatenate the multiple TXT entries? why validation tools that give the split values also fail to validate them when split? e.g. https://www.mailhardener.com/tools/dns-record-splitter

all validators just show one record that has the v=DKIM1;k=rsa;p=... part as a invalid dkim record, and the one that is just the continuation of the key as an entirely different record that is not even a valid dkim.

for example https://dkimcore.org/c/keycheck says

* v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0... (This might be a valid DKIM record)
* r259BelASlU2WApIeDK/a8Qo096WzpFCeFtam... (This doesn't look like a DKIM record)

103

1 + 0

domain-name-system

dkim

txt-record

Score:3

Server

Håkan Lindqvist

8/17/24, 10:03 PM

The DNS protocol level requirement is quite simple really, usually questions circle around various UI choices (as is the case here, I believe).

The value (RData if you will) of a TXT record in DNS consists of an array of character-string values. Each individual character-string can be 0-255 characters long.

A DKIM entry in DNS needs to be a single TXT record, and DKIM defines that if that TXT record has multiple string values these will be concatenated together before use by the DKIM-aware software.

From the DKIM RFC:

Strings in a TXT RR MUST be concatenated together before use with no intervening whitespace. TXT RRs MUST be unique for a particular selector name; that is, if there are multiple records in an RRset, the results are undefined.

Ie, if you have a long DKIM value, it makes no difference how you cut it up as long as each piece is no longer than 255 characters. However, all the pieces need to be in one single TXT record.

As for your specific situation, in the standardized master file format your example would be:

z._domainkey.example.com.  1796    IN      TXT     "v=DKIM1;k=rsa;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh957KTmtf+f1GCrdVKydz2x0NDs1Cx/g/AYIlx2QcyOpXzd3DNC8saykKjfwYEIGq47UdnLQdJztINPu5QsphwSnpQiGqV28EltNp1poNNeUwSno7vrUTQI44vkD7OosCh+yLVD5AWCqxOr0l4C6kp2UuXvEc6zANPQrbOuVABm" "Gf2nLFvcR4iswFC3JpLOdZr259BelASlU2WApIeDK/a8Qo096WzpFCeFtamIxZFkeHdCSmrS7zrtDrxxvXzYhXIFharkWeY5cXKzZ7vUGR14Zie9gzNzoz5NoibngkBH6dw5C70lU5ynVwx+/U+TCEKOZu1X9K/ZC5/1NrsW83QIDAQAB"

(Note how it is one single record with multiple string values)

If the software/service you are using does not accept data input matching the master file format, it's most likely simply a matter of figuring out the specific format they expect (manual? support?), or possibly even some limited TXT support specific to that software/service.

+ 2

Nikita Kipriyanov

8/18/24, 4:02 AM

As an addition, in case of BIND zone syntax, to split a long line you can put all the record into the parenthesis. SOA is usually written in this way, but nothing forbids to write long multi-part TXT record the same.

gcb

8/20/24, 6:46 PM

awesome. thank you! So i'm in a pickle. Some country TLDs provides a small list of registrars and those only offer a precarious web UI to manage those TXT records with a simple textarea limited by 255 chars. I've opened support tickets with them, but i guess I will have to shop around better registrars if I want DKIM et al. (rant)...why people decide to use dns for this if they already knew they will need hacks?! sigh... wish the world moved forward instead of backward some days.(/rant)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to correctly split a DKIM txt dns entry?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.