DKIM entries in NSD zone files

Various Howtos about DKIM exist. After creation of a public/private keypair for signing, some of them advise to insert a TXT RR of the following kind into the zone file containing the affected mail domain:

selector._domainkey.example.com. 1800 IN TXT k=rsa; t=s; p=TjqHkmQL3WPN0eLuAVsAx

I tried this with the NSD DNS server. What i found the hard way:

  1. The semi-colon (;) is the start-of-comment in zone files. Typing the quoted line verbatim cuts off everything after k=rsa.

  2. TXT records have a maximum length of 255 chars (because some length field has only 8 bits), so even when the semi-colons above are masked with backslashes, nsd (version 4.1.10) will refuse to load the zone file, but will not explain why the parser thinks it is erroneous.

To get the TXT entry in the zone, one has to

  1. surround the contents — beginning with k=rsa — with parens, and
  2. split them into chunks of at most 255 characters, and
  3. put these chunks into double-quotes, and
  4. separate these with spaces

The resulting line in the zone file for the example above would be

selector._domainkey.example.com. 1800 IN TXT ("k=rsa; t=s; p=TjqHkmQL3WPN0eLuAVsA
kDLqRXocC73CAD4ADJsI5bjWn+mGcN1CXwfxtgvlk9XiGhpPDEbQCkeLtj" "Yatf4u8yXDjSB8+TyHN2ltcxZpU;")

Mon, 06 Mar 2017
[/projects] permanent link