Skip to content

DKIM TXT Records in DNS exceeding 255 characters

Wow. It’s 2009, and apparently DNS can only support reading configuration file lines which are not greater than 255 characters. I received the following error in my system log when I was setting up DKIM entries:

MarĀ  5 15:23:44 web4 named[66731]: dns_rdata_fromtext: domain.dns:16: ran out of space

Problem is, the entire domain is then borked. That is, if domain.dns contains all of the DNS records for example.com, this error makes the domain not found at all. Whoops.

# host example.com ns3.marketruler.com
Using domain server:
Name: ns3.marketruler.com
Address: 76.12.128.152#53
Aliases:

Host example.com not found: 3(NXDOMAIN)

Doh. Turns out, the syntax for including multi-line TXT records in named.conf is slightly obscure, but thanks to the folks at SFR Fresh, which hosts an open-source DKIM Milter, the syntax isn’t that difficult to master. In short, you include the text record by breaking it into smaller strings, and enclosing the whole thing with parenthesis.

For example:

example.com IN TXT “a really long string as an example”

Becomes

example.com IN TXT ( “a really long str”
“ing as an example” )

You get the idea.

Apparently DNS can support TXT records up to 65535 characters, but I’d say except in the cases of DKIM records, it’s rare to need this much data for a DNS record.

Be Sociable, Share!

4 Comments

  1. Vatsan wrote:

    Why didnt I think of that solution! Thanks a lot!

    Monday, December 21, 2009 at 12:29 pm | Permalink
  2. matt grosso wrote:

    I found the solution to this same issue was using PEM format and openssl rather than ssh-keygen and -t dsa. eg:

    openssl genrsa -out mattgrosso.com.key 1024

    openssl rsa -in mattgrosso.com.key -out mattgrosso.com.public.key -pubout -outform PEM

    Friday, April 16, 2010 at 1:53 am | Permalink
  3. kent wrote:

    Hm. Didn’t see how the public key output mimics the DNS text wrapping at all …

    Friday, April 16, 2010 at 8:29 am | Permalink
  4. Chris wrote:

    Try and keep the entire payload (Q and A etc) under 512 bytes – that’s the max that can fit into a UDP DNS packet, and falling back to DNS over TCP will probably slow stuff down like crazy, if not totally break many things.

    Tuesday, October 18, 2011 at 10:05 pm | Permalink