Sam Trenholme's webpage
Support this website

MaraDNS and DKIM

 

July 16 2021

I discuss a very technical issue for users of my MaraDNS server: How to have DKIM records in MaraDNS.

==MaraDNS and DKIM: How it is done==

DKIM is a format used to store e-mail authentication data via DNS.

I have now used DKIM keys with MaraDNS. Even with the 512-byte limit with classic DNS packers, MaraDNS can store a 2048-bit RSA DKIM key.

A DKIM record is a long “multi chunk” TXT record; DKIM records are stored in a special _domainkey.example.com record (in my case, x._domainkey.samiam.org). As per RFC6376 section 3.6.2.2, “Strings in a TXT RR MUST be concatenated together before use with no intervening whitespace”; in the MaraDNS man page on TXT records, it points out that a single TXT “chunk” can only be up to 255 bytes in length, but we need more than 255 bytes to store a 2048 bit RSA key (6 bits per character, so we need 342 characters to store just the key) and a little more overhead to store the other bits in our DKIM record. But, it doesn’t matter where we split the chunks as long as each individual chunk is under 256 bytes in size.

Here is a real-world DKIM key stored in my MaraDNS zone file:

x._domainkey.% +600 TXT 'v=DKIM1; k=rsa; '\  
'p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg'\  
'KCAQEAuhKjx2Aepa3rllxUEZLgF3x'\  
'68SWvZ8pEgnjZvxtqp94Vkra3AUC4C8dRLKf5SvT'\  
'xFtIl6pF27jn+M/w2MzYwPFjBgqVf'\  
'p2lf7xuKsrus63m0T9Sq958nIt1yuUlLDr71bFs7'\  
'ZuZyQid0ciCc2JF5lwHno10cAvuNJ';'y1Q'\  
'tFJa+lRJI6/kzY20Hi/ZTzFzctqgqaRZnSoJlTZHf'\   
'Oy0uwfmF5ejkJ8xvHbEJp6TEc'\  
'30DwsqrjVWSFLnUWYBv7lrAPB9sAHN7fCayhEuORn'\  
'Ap+YUhjjMPWyPla1pvTS9h/LTE7g'\  
'2d+jR/zOkRpV2Ak/4KpeP9dpsRJEOsPEaWGG1pQXgPw'\ 
'IDAQAB' 

The man page describes this record. The backslashes are used so that a single line is not over 80 columns in width; in the line which begins 'ZuZyQi (about halfway down), one can see this near the end: NJ';'y1Q'\. The ';' bit tells MaraDNS to separate the TXT record in to a separate chunk at this point in the record.

As we can see, MaraDNS can store and distribute 2048-bit RSA keys using the DKIM format.

Comments for blog entries can be seen in the forum.