Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Is there a registrar that will allow 2048-bit DomainKeys/DKIM values in a domain TXT record?

Posted on 2014-03-05
2
Medium Priority
?
3,919 Views
1 Endorsement
Last Modified: 2014-03-07
Hi friends. Can you help me out, please?
 
I host many domain registrations with HostMySite.com. I need to update the DomainKeys/DKIM TXT record values for all of my domains, from 1024-bit values to 2048-bit values (as required by Google and Comcast later in year 2014).

My email server software is SmarterMail 12 -- and it is easy to set a 2048 DomainKeys/DNS key value for a domain in SmarterMail.
 
However, when I log in to my registrar account at HostMySite.com and edit any of my domains and try to enter the new 2048-bit value in the TXT field, the value is rejected. The error message says that the input cannot exceed 254 characters.

That's a big problem. If I cannot enter 2048-bit values in a TXT field in my registrar's interface, then eventually, in year 2014, Google and Comcast might stop processing email for my domains.
 
I have asked HostMySite in the past to fix this problem by allowing more characters in the TXT records for domains. So far they have simply said -- sorry, no can do.
 
Since I am responsible for email hosting for about fifty email domains and 150 email accounts, I consider this a fairly urgent matter.

Assuming HostMySite.com will not or cannot fix this problem, what should I do? While I do not relish the time and expense required to move 100+ domains to a new registrar, it looks like I might have to do exactly that at some point.

I am very grateful for your advice. =)

Eric
1
Comment
Question by:Eric Bourland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Accepted Solution

by:
Richard Amiss earned 2000 total points
ID: 39911665
Hello,

There is no need for you to move to another DNS service, in fact you will likely find the same issue since most DNS servers only allow entries of 255 bytes.

The solution is to "split" the DKIM key into 2 or more entries.  Every DNS server is a bit different on how to implement this but most of them will split the entry automatically if you surround each part with parenthesis.

Here is the documentation from OpenDKIM at http://www.opendkim.org/opendkim-README

If you wish to use a large key in DNS, there are some limitations of which
you should be aware.  A TXT record in the DNS consists of a series of
strings each of which don't exceed 255 bytes.  This is a result of the
fact that each string is preceded by a length byte (which, of course,
can't exceed 255).  Furthermore, some DNS implementations don't allow
packets larger than 512 bytes.  Some RSA keys will exceed the 255 byte
limit once encoded with base64, so some special formatting must be
used to make such a record fit.  Failing to do so can cause an incomplete
record to be published or, worse, the nameserver to refuse to serve the
record or even the entire zone.

In the case of the BIND nameserver, there are two syntax rules one can use
to make a large record fit within these boundaries:

1) TXT substrings

      Instead of a record like:

      recname      IN      TXT      "foobarbazblivitalphabravocharliedelta...zulu"

      ...one can also do:

      recname      IN      TXT      "foobar" "baz" "blivit" "alpha" ... "zulu"

      (The "..." is mean to indicate continuation and is not a literal set of
      three "." characters.)

      You simply have to break up the large record into smaller strings such
      that no string exceeds 255 bytes.  DKIM implementations will
      reassemble TXT records broken down this way into the full original
      single string before processing them.

2) Line continuations

      It can be difficult for some to edit very long lines of text.
      It's therefore desirable to have a mechanism to break very long
      TXT records down so that they fit nicely within an editor window.
      In BIND, this is done by enclosing the wrapped lines within
      parentheses.  Continuing with the example above, this:

      recname      IN      TXT      "foobar" "baz" "blivit" "alpha" ... "zulu"

      ...can also be expressed as:

      recname      IN      TXT      ( "foobar" "baz" "blivit" "alpha"
                          "bravo" "charlie" "delta" "echo"
                          ...
                          "yankee" "zulu" )

So using these two techniques, a very large public key could be encoded
in a DNS zone file as follows:

recname      IN      TXT      ( "v=DKIM1; g=*; k=rsa; "
                     "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z4F"
                     "JEMHjJDuBmt25zvYFVejlARZGt1L8f0s1+rLxIPYkfCogQi+Y8"
                     "oLEg9vvEKnLx9aogZzuNt6j4Sty3LgXxaIwHnMqk0LldbA/mh3"
                     "wLZb16Wc6btXHON0o3uDipxqGK2iRLTvcgAnNDegseOS+i0aJE"
                     "nNSl663ywRBp/QKezhUC7cnbqR/H8dz8pEOjeawNN3nexdHGsk"
                     "+RaafYvCFvU+70CQORcsk+mxb74SwGT2CGHWxVywQA9yrV+sYk"
                     "JpxaufZLo6xp0Z7RZmbf1eGlCAdhkEy+KYQpQkw2Cdl7iKIK4+"
                     "17gr+XZOrfFLJ5IwpVK/a19m3BLxADf0Kh3oZwIDAQAB" )
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 39913134
ramiss,

very helpful! And is much like other advice I have gotten on this matter.

I really appreciate your help.

Eric
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question