Solved

Is there a registrar that will allow 2048-bit DomainKeys/DKIM values in a domain TXT record?

Posted on 2014-03-05
2
3,132 Views
1 Endorsement
Last Modified: 2014-03-07
Hi friends. Can you help me out, please?
 
I host many domain registrations with HostMySite.com. I need to update the DomainKeys/DKIM TXT record values for all of my domains, from 1024-bit values to 2048-bit values (as required by Google and Comcast later in year 2014).

My email server software is SmarterMail 12 -- and it is easy to set a 2048 DomainKeys/DNS key value for a domain in SmarterMail.
 
However, when I log in to my registrar account at HostMySite.com and edit any of my domains and try to enter the new 2048-bit value in the TXT field, the value is rejected. The error message says that the input cannot exceed 254 characters.

That's a big problem. If I cannot enter 2048-bit values in a TXT field in my registrar's interface, then eventually, in year 2014, Google and Comcast might stop processing email for my domains.
 
I have asked HostMySite in the past to fix this problem by allowing more characters in the TXT records for domains. So far they have simply said -- sorry, no can do.
 
Since I am responsible for email hosting for about fifty email domains and 150 email accounts, I consider this a fairly urgent matter.

Assuming HostMySite.com will not or cannot fix this problem, what should I do? While I do not relish the time and expense required to move 100+ domains to a new registrar, it looks like I might have to do exactly that at some point.

I am very grateful for your advice. =)

Eric
1
Comment
Question by:Eric Bourland
2 Comments
 
LVL 2

Accepted Solution

by:
ramiss earned 500 total points
ID: 39911665
Hello,

There is no need for you to move to another DNS service, in fact you will likely find the same issue since most DNS servers only allow entries of 255 bytes.

The solution is to "split" the DKIM key into 2 or more entries.  Every DNS server is a bit different on how to implement this but most of them will split the entry automatically if you surround each part with parenthesis.

Here is the documentation from OpenDKIM at http://www.opendkim.org/opendkim-README

If you wish to use a large key in DNS, there are some limitations of which
you should be aware.  A TXT record in the DNS consists of a series of
strings each of which don't exceed 255 bytes.  This is a result of the
fact that each string is preceded by a length byte (which, of course,
can't exceed 255).  Furthermore, some DNS implementations don't allow
packets larger than 512 bytes.  Some RSA keys will exceed the 255 byte
limit once encoded with base64, so some special formatting must be
used to make such a record fit.  Failing to do so can cause an incomplete
record to be published or, worse, the nameserver to refuse to serve the
record or even the entire zone.

In the case of the BIND nameserver, there are two syntax rules one can use
to make a large record fit within these boundaries:

1) TXT substrings

      Instead of a record like:

      recname      IN      TXT      "foobarbazblivitalphabravocharliedelta...zulu"

      ...one can also do:

      recname      IN      TXT      "foobar" "baz" "blivit" "alpha" ... "zulu"

      (The "..." is mean to indicate continuation and is not a literal set of
      three "." characters.)

      You simply have to break up the large record into smaller strings such
      that no string exceeds 255 bytes.  DKIM implementations will
      reassemble TXT records broken down this way into the full original
      single string before processing them.

2) Line continuations

      It can be difficult for some to edit very long lines of text.
      It's therefore desirable to have a mechanism to break very long
      TXT records down so that they fit nicely within an editor window.
      In BIND, this is done by enclosing the wrapped lines within
      parentheses.  Continuing with the example above, this:

      recname      IN      TXT      "foobar" "baz" "blivit" "alpha" ... "zulu"

      ...can also be expressed as:

      recname      IN      TXT      ( "foobar" "baz" "blivit" "alpha"
                          "bravo" "charlie" "delta" "echo"
                          ...
                          "yankee" "zulu" )

So using these two techniques, a very large public key could be encoded
in a DNS zone file as follows:

recname      IN      TXT      ( "v=DKIM1; g=*; k=rsa; "
                     "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z4F"
                     "JEMHjJDuBmt25zvYFVejlARZGt1L8f0s1+rLxIPYkfCogQi+Y8"
                     "oLEg9vvEKnLx9aogZzuNt6j4Sty3LgXxaIwHnMqk0LldbA/mh3"
                     "wLZb16Wc6btXHON0o3uDipxqGK2iRLTvcgAnNDegseOS+i0aJE"
                     "nNSl663ywRBp/QKezhUC7cnbqR/H8dz8pEOjeawNN3nexdHGsk"
                     "+RaafYvCFvU+70CQORcsk+mxb74SwGT2CGHWxVywQA9yrV+sYk"
                     "JpxaufZLo6xp0Z7RZmbf1eGlCAdhkEy+KYQpQkw2Cdl7iKIK4+"
                     "17gr+XZOrfFLJ5IwpVK/a19m3BLxADf0Kh3oZwIDAQAB" )
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 39913134
ramiss,

very helpful! And is much like other advice I have gotten on this matter.

I really appreciate your help.

Eric
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can't connect to LDAP over SSL (port 636) 6 63
Uninstall Exchange 2013 error 1 40
DNS CName is not working properly? 11 63
DNS Server Changes - 2003 to 2012 6 37
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Resolve DNS query failed errors for Exchange
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now