On 2025-10-14, Jan Stary <[email protected]> wrote: > Dear misc, > > I am setting up DKIM for this domain - > the dkim signing itself seems to be working fine, > but recipients still fail my dkim, because > > dkim=fail reason="key not found in DNS" > > Indeed, my (updated) dns record does not contain the dkim TXT record, > as nsd(8) refuses to load it (see the failing zone file below), saying > > master/stare.cz:16: Invalid TXT in text > > The TXT content is exactly what is produced by the 'openssl rsa' command > in the opensmtpd-filter-dkimsign pkg-readme. > > It *seems* that nsd refuses it as too long: when I trim the TXT record > to exactly 256 bytes, nsd loads the zone file without complain (but that's > not the actual key of course); one byte more and it's an "invalid TXT". > > Naively grepping the nsd source, I see > > /* Max single TXT rdata field length + '\x00' == 256 */ > > in xfrd-catalog-zones.c but I can't be sure if that is it. > Is the TXT record in nsd really limited to 256?
It is too long for any DNS server. Strings in TXT (and the deprecated SPF) records are limited to 255 chars. What you can do is have multiple strings. See https://kb.isc.org/docs/aa-00356 etc. > Using the shorter ed25519 key instead (the other example in pkg-readme) > works fine: a receiving MX says "dkim=pass header.d=stare.cz ..." Support for ed25519 in DKIM across the net is still rather poor. Realistically you still need to use RSA at least in addition to ed25519. > Should the pkg-readme of opensmtpd-filter-dkimsign be reviewed? feel free to send a diff
