Today I installed and enabled DKIM feature on my CentOS 5.5 64-bit Server and it turns out that the DNS server won’t start now. Here is the error message that I get:
Failed to re-start service : Failed to start BIND : Starting named: Error in named configuration: dns_rdata_fromtext: /var/named/exampledomain.info.hosts:23: ran out of space zone {zone name}
I searched the internet and this forum to see if this issues has already been addressed by someone before, but I couldn’t find anything, so it’s possible that there is something wrong with my server.
The problem comes from the length of the txt record with public key in BIND. I tried to split these in multiple lines and solved the problem but when I have made a change on DKIM settings in Virtualmin, the splitted records were joined.
I don’t know where can I change the length of the new keys, but this would be the solution.
The problem is that virtualmin is using a 2048-bit strong rsa key, so the public key gets very long. This is just not necessary, a 1024-bit key is more than sufficient. Some servers are using even a 256-bit encription.
So the question is, where can be set to use a 1024-bit key. Is there a setting in some config file where this value can be modified, or is hard-coded inside virtualmin?
At this point the integrated DKIM is just unusable. Take care at every account creation of splitting the public key inside DNS record is not a solution.
It would be great if this small isue get solved, othervise we have to use DKIM set manually outside virtualmin.
The problem is that virtualmin is using a 2048-bit strong rsa key, so the public key gets very long. This is just not necessary, a 1024-bit key is more than sufficient. Some servers are using even a 256-bit encription.
So the question is, where can be set to use a 1024-bit key. Is there a setting in some config file where this value can be modified, or is hard-coded inside virtualmin?
At this point the integrated DKIM is just unusable. Take care at every account creation of splitting the public key inside DNS record is not a solution.
It would be great if this small isue get solved, othervise we have to use DKIM set manually outside virtualmin.
I asked Jamie to take a look at your comments… in the meantime, I’ll offer that it should be possible to have Virtualmin automatically generate the keys across multiple TXT records if that’s indeed the only issue going on (Jamie will be able to comment more on that).
You’re right that some servers use 256 and 512 bit keys, but that looks like it’s a bit too insecure.
This Cisco blog entry has a pretty good writeup on all that, including a distribution of DKIM key sizes used on the Net today:
You can adjust the size of the key Virtualmin generates at System Settings -> Virtualmin Configuration -> SSL settings -> Default SSL key size , although this applies to regular SSL certs too.
I will limit this to 1024 bits for DKIM in future…
Eric - are you sure it is possible to split a DKIM key across multiple TXT records?
are you sure it is possible to split a DKIM key across multiple TXT records?
Hmm, I’ve never tried any of this, but the best reference I have for how this might work is this text from an older copy of the opendkim installation guide:
If you wish to use a large key in DNS, there are some limitations of which
you should be aware. A TXT record in the DNS consists of a series of
strings each of which don't exceed 255 bytes. This is a result of the
fact that each string is preceded by a length byte (which, of course,
can't exceed 255). Furthermore, some DNS implementations don't allow
packets larger than 512 bytes. Some RSA keys will exceed the 255 byte
limit once encoded with base64, so some special formatting must be
used to make such a record fit. Failing to do so can cause an incomplete
record to be published or, worse, the nameserver to refuse to serve the
record or even the entire zone.
In the case of the BIND nameserver, there are two syntax rules one can use
to make a large record fit within these boundaries:
TXT substrings
Instead of a record like:
recname IN TXT “foobarbazblivitalphabravocharliedelta…zulu”
…one can also do:
recname IN TXT “foobar” “baz” “blivit” “alpha” … “zulu”
(The “…” is mean to indicate continuation and is not a literal set of
three “.” characters.)
You simply have to break up the large record into smaller strings such
that no string exceeds 255 bytes. DKIM implementations will
reassemble TXT records broken down this way into the full original
single string before processing them.
Line continuations
It can be difficult for some to edit very long lines of text.
It’s therefore desirable to have a mechanism to break very long
TXT records down so that they fit nicely within an editor window.
In BIND, this is done by enclosing the wrapped lines within
parentheses. Continuing with the example above, this:
recname IN TXT “foobar” “baz” “blivit” “alpha” … “zulu”
Thank you all for great responses, changing the SSL key size to 1024 does fix the DNS issue. However I’m still not seeing anything in e-mail headers that would indicate that the DKIM is working, is it maybe supposed to take some time for the DNS records to propagate?
You should see a DKIM-Signature: header added to all outgoing email … although you will need to check for this on the recipient’s system, as you won’t see it in your “sent mail” folder.
If it is not showing up, check your mail log file /var/log/maillog or /var/log/mail.log for messages from postfix or the dkim-filter about why the header couldn’t be added…
The DKIM-Signature: header is still not being added to outgoing email messages, even though the setting is enabled. I have checked my /var/log/maillog and there is nothing in there at all about headers or why they couldn’t be added. In fact words “header” or “headers” don’t even exist in that log file. Am I the only one with this problem?
I figured out what the problem is, I have these two lines in my /etc/postfix/header_checks file:
/^received: / IGNORE
/^X-Sender: / IGNORE
I need those to hide sender’s IP and host name. The reason why is because my dynamic IP on my T-Mobile phone changes very often, and most of the time I get an IP address that’s blacklisted in spamhaus databases and as a result I can’t send any e-mails from my phone because they all end up in spam folder. So I had to find a way to hide the IP address of the sender.
DKIM header is being added to outgoing e-mails when I remove those lines. I guess I’m going to have to choose between hiding my phones IP address and DKIM.
I just went through 2 days of testing on this issue and this is what I found…
First if you are using sendmail you must have this milter running last or the signature will break.
Second only a 1024 key will work anything higher will break bind and lower like 512 will not pass.
Now if you do want to use 2048, which I do recommend, the key has to be split on multi-lines something that VM is not doing currently. You will have to do this manually.
And the last thing I found is that if you force a new private key, when setting a new SSL key size, it doesn’t seem to write the new key out so you will need to delete /etc/dkim.key
Today I enabling DKIM within CentOS 5.5 i386; big mistake.
What a headache!
Everything that seems to work for the previous posts is not exactly working out for me because my Binder DNS is out and no response no matter what I try as previously mentioned above.
One thing is for sure after all these problems I may have a small fraction of experience with Virtualmin.
I am getting at boot; dns_master_load: syntax error; unknown 2010._domainkey although I previously changed to 1024 bits as well as deleting the /etc/dkim.key before trying again.
Yeah, there’s some issues with the DKIM implementation ATM… my suggestion might be to disable DKIM until the next Virtualmin version comes out (which I think will be this week!).
The next release should have those issues resolved
I found another problem with DKIM which may or may not be caused by DKIM its self. For some reason Joomla website is unable to send an e-mail created by Joomla’s contact form. The e-mail gets stuck in Postfix’s mail queue and it will just stay there until the DKIM is disabled.
