Dear misc,
I am setting up DKIM for this domain -
the dkim signing itself seems to be working fine,
but recipients still fail my dkim, because
dkim=fail reason="key not found in DNS"
Indeed, my (updated) dns record does not contain the dkim TXT record,
as nsd(8) refuses to load it (see the failing zone file below), saying
master/stare.cz:16: Invalid TXT in text
The TXT content is exactly what is produced by the 'openssl rsa' command
in the opensmtpd-filter-dkimsign pkg-readme.
It *seems* that nsd refuses it as too long: when I trim the TXT record
to exactly 256 bytes, nsd loads the zone file without complain (but that's
not the actual key of course); one byte more and it's an "invalid TXT".
Naively grepping the nsd source, I see
/* Max single TXT rdata field length + '\x00' == 256 */
in xfrd-catalog-zones.c but I can't be sure if that is it.
Is the TXT record in nsd really limited to 256?
Using the shorter ed25519 key instead (the other example in pkg-readme)
works fine: a receiving MX says "dkim=pass header.d=stare.cz ..."
Should the pkg-readme of opensmtpd-filter-dkimsign be reviewed?
Thank you
Jan
stare.cz. IN SOA uvt.stare.cz. hostmaster.stare.cz. (
2025101404 ; serial
3600 ; slaves refresh after 4 hours
1800 ; and retry after 1 hour if fail
604800 ; slave's data expire after 1 week
3600 ; ttl to tell clients
)
@ IN NS uvt.stare.cz.
@ IN NS c.free.ns.buddyns.com.
@ IN NS d.free.ns.buddyns.com.
@ IN MX 10 uvt.stare.cz.
stare.cz. IN TXT "v=spf1 ip4:185.63.96.79 -all"
; master/stare.cz:16: Invalid TXT in text
;all._domainkey.stare.cz. IN TXT "v=DKIM1;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4RRShoJ1IgZS19YSJ32PQTUI4Upw8RgyPvzBTF2skGqnUufT6pUEVBEpsi7N/NVlsZvPXD5suXUBrDxdqdi+PWjOHIylILTw0+RqPwjL+HlmVEzs4jOu1sW5iLRH3EsXWz8wVnW3lU2Qbep6s+gQF42EIBKxy/GTJtsftF+l1vH+82sKy5lpItPNG8TN8X/TRwkVfdP5zqxxz1AD2MnqSLWd273uDALkjxYTAYfpwYnwJgeKV54HlUAajgGidBAW7VQPtaF7WPCLdbqflO+Goa1ulrPivVSszg6qQxw1NfI3IlXdbYF3yYImFl1bVlDFjoX1KzVUOh9g3va4hpps7wIDAQAB"
; master/stare.cz:16: Invalid TXT in text
;all._domainkey.stare.cz. IN TXT "v=DKIM1;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4RRShoJ1IgZS19YSJ32PQTUI4Upw8RgyPvzBTF2skGqnUufT6pUEVBEpsi7N/NVlsZvPXD5suXUBrDxdqdi+PWjOHIylILTw0+RqPwjL+HlmVEzs4jOu1sW5iLRH3EsXWz8wVnW3lU2Qbep6s+gQF42EIBKxy/GTJtsftF+l1vH+82sKy5lpItPNG8TN8X/TRwkVfdP5z"
; one byte less: OK (except that is not the actual key)
;all._domainkey.stare.cz. IN TXT "v=DKIM1;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4RRShoJ1IgZS19YSJ32PQTUI4Upw8RgyPvzBTF2skGqnUufT6pUEVBEpsi7N/NVlsZvPXD5suXUBrDxdqdi+PWjOHIylILTw0+RqPwjL+HlmVEzs4jOu1sW5iLRH3EsXWz8wVnW3lU2Qbep6s+gQF42EIBKxy/GTJtsftF+l1vH+82sKy5lpItPNG8TN8X/TRwkVfdP5"
mx IN A 185.63.96.79
www IN A 185.63.96.79
uvt IN A 185.63.96.79
@ IN A 185.63.96.79
