- edited description
Generated DKIM records are invalid
Issue #566
resolved
I generated a DKIM record in the Poste interface and used it to create a TXT record on my domain. After waiting for over 40 hours for the DNS record to propagate, I eventually found out that the generated record is invalid.
This is the generated record:
s20190108225._domainkey.datahoarder.xyz IN TXT "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9azIhIvkVqsOtoRLYzZpLbV1dzfq/ZvD6hQwAbh8RFjbGyTxa3xFw990/mIcHxrckMIcwkn4DRi3FgKVilDrlHs/Ht0RjPnBF+1NtR90Iw4IoiM4JsuDamD49iZHJMzPjKMESzUAYMDw+CxDAQRKIYy73tqJWaxGPBo60aAWVcboYFhmA9SF+Mb7uoupEPa5jm8MtIccDXQ6sIQO+L7xJXetkrqS4fSsvjK2sMBgKV8AblnyWQ+Mz5bZLL3zgILsJd33sQHBu5F3fqu10Hp54Rt7v8siknUtt7bruUELajSmbrOfieKj5OCHZp6K6bWxh6/4lDUSoqX+aH1zIl8gvQIDAQAB"
It will not be found by DNS probes until it is altered as such:
s20190108225._domainkey IN TXT "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9azIhIvkVqsOtoRLYzZpLbV1dzfq/ZvD6hQwAbh8RFjbGyTxa3xFw990/mIcHxrckMIcwkn4DRi3FgKVilDrlHs/Ht0RjPnBF+1NtR90Iw4IoiM4JsuDamD49iZHJMzPjKMESzUAYMDw+CxDAQRKIYy73tqJWaxGPBo60aAWVcboYFhmA9SF+Mb7uoupEPa5jm8MtIccDXQ6sIQO+L7xJXetkrqS4fSsvjK2sMBgKV8AblnyWQ+Mz5bZLL3zgILsJd33sQHBu5F3fqu10Hp54Rt7v8siknUtt7bruUELajSmbrOfieKj5OCHZp6K6bWxh6/4lDUSoqX+aH1zIl8gvQIDAQAB"
Furthermore, the DKIM record itself is also not compliant with the relevant RFC standards. You need to tell the generator to add v=DKIM1 at the start of the record for the DKIM record to be valid. The final, valid DKIM record looked like this:
s20190108225._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9azIhIvkVqsOtoRLYzZpLbV1dzfq/ZvD6hQwAbh8RFjbGyTxa3xFw990/mIcHxrckMIcwkn4DRi3FgKVilDrlHs/Ht0RjPnBF+1NtR90Iw4IoiM4JsuDamD49iZHJMzPjKMESzUAYMDw+CxDAQRKIYy73tqJWaxGPBo60aAWVcboYFhmA9SF+Mb7uoupEPa5jm8MtIccDXQ6sIQO+L7xJXetkrqS4fSsvjK2sMBgKV8AblnyWQ+Mz5bZLL3zgILsJd33sQHBu5F3fqu10Hp54Rt7v8siknUtt7bruUELajSmbrOfieKj5OCHZp6K6bWxh6/4lDUSoqX+aH1zIl8gvQIDAQAB"
The site I used to check the validity of the DKIM record: https://dkimcore.org/tools/keycheck.html
The RFC document which states that v=DKIM1 must be present at the start of a record: http://dkim.org/specs/rfc4871-dkimbase.html#key-text
Comments (4)
-
reporter
-
Generally DNS providers will include your domain.ext in the record name
for example, the record shows the full resolution of s20190108225._domainkey.datahoarder.xyz
But your provider will (in nearly all cases) automatically add ".datahoarder.xyz" to the end of what you put in your dns records name
However I do think the generated sample should (as it does) always show the full name resolution for the removal of any doubt as to what the full record should be.
-
repo owner
@graywhale as per linked RFC, version tag is recommended not required. See gmail (In lot of cases I select settings by large mainstream providers because obviously that works...)
$ dig +short txt 20161025._domainkey.gmail.com "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqR" "tqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpbq4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB"As @shb1 pointed out, some providers do that automaticaly and you should not paste whole domain name. To be precise as possible there is missing dot at the end (see https://en.wikipedia.org/wiki/Fully_qualified_domain_name). I've fixed that by now
-
repo owner
- changed status to resolved
fix
#566add missing dot to FQDNs→ <<cset ce3d1baf9fe7>>
- Log in to comment
