DKIM TXT DNS Recort Problem

Hans · February 10, 2019, 9:24pm

I just try to create a DKIM record in my masters DNS and I just don’t understand what’s going wrong:

univention-directory-manager dns/txt_record create --superordinate “zoneName=example.com,cn=dns,dc=example,dc=com” --set zonettl=3 --set name=“201902._domainkey” --set txt=“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwmsSi6YbyPESxG20F8zA7NeTx40/PaaH6N6N6lI+5IageFUkxFskLBlGeKsbKrb1UN1o1l85kdTnWC1pn3SB+dnaMbhlTqpsY1mZGoxotJxGSnpYmMwfJ3DpJocAxoG55Wu+58rOdbUFkoAUG2RLrzaPp0xzvkTIWPrXHOB/koOeStdHos7QUiliaBdAoupG4fwfHoi2IPJPLzHfynefBykiVGmPUGjJxowJ/bWTbxwkVKGwjIWPfzqvb4R1WrUbLAh4HL//Y+uiadD07u+hOFxAf0DLHJW8E1RrDtb6Sb6hsQTvdU+3Quk6xdm1hRhKqllbP8oTpwGXW91WIZc+awIDAQAB”

The command runs without an error.

host -t TXT 201902._domainkey.example.com

–> 201902._domainkey.example.com descriptive text “v=DKIM1”
Everything after the semicolon is gone.
Ok, I can try adding additional quotationmarks

univention-directory-manager dns/txt_record create --superordinate “zoneName=schnagl.one,cn=dns,dc=olc,dc=schnagl,dc=one” --set zonettl=3 --set name=“201902._domainkey” --set txt="“v=DKIM1; k=rsa”"

And voila
host -t TXT 201902._domainkey.example.com

–> 201902._domainkey.example.com descriptive text “v=DKIM1, k=rsa”

But when I add the key the the command the host command still delivers the same result. What I can do is just reduce the size of the key:

univention-directory-manager dns/txt_record create --superordinate “zoneName=example.com,cn=dns,dc=example,dc=com” --set zonettl=3 --set name=“201902._domainkey” --set txt="“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwmsSi6YbyPESxG20F8zA7NeTx40/PaaH6N6N6lI+5IageFUkxFskL”"

Then I get what I expect:
host -t txt 201902._domainkey.example.com
201902._domainkey.example.com descriptive text “v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwmsSi6YbyPESxG20F8zA7NeTx40/PaaH6N6N6lI+5IageFUkxFskL”

It seems it’s only working if the string is short enough. Any ideas?

Hans · February 11, 2019, 6:50pm

It seems I found a solution. Setting a dkim record at the dns server of netcup I realized that the key is split into two halfs. I just took the lookup result and copied it to the Univention master dns:
“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvA541BSi4baHzShEQiAGd3rbnIxjpNyjKcrpp98og0Obb8SLmyxioHTlH/tCAg3h/jzVf9o03+Mb4IHEJzaAptHUzVZtn0Tt2nlSf8lX3R0vs4yo5nElvWieWev0UxLUHgjlRpX1uu3HKkFs+wCGNkme9spZeQ/WpNhRb0J/O6Dcsb18FLIW8YehwCqHnim5” “3wAdhTmHi0LZAFO9g1bPPr9t5dL1+vHUNLIh2MpnKRwieSVHtGU8SsOk8NhkRVtOafKC+5CgSuF1jc0RWyYeUZmURPevoloePCakrNyOrUcqKTUQxiP3NgvZ7/UbutmV+pKOoLoxuj7/Sft/tsNVQIDAQAB” “”

This at least gives the correct lookup result with
host -t txt 201902._domainkey.example.com

Moritz_Bunkus · February 12, 2019, 8:37am

DNS records have a maximum length for each value, but TXT records may contain more than one value. That’s what you’re encountering here.

Apart from that: keep in mind that DNS records such as DKIM or SPF must be resolvable by the receiving mail server (e.g. when you send a mail from your domain to someone using a googlemail.com address, the Google mail servers will try to look up the DKIM record for your own domain). This in turn means that the records must be available from the public internet. It is unusual to have a UCS DNS server be reachable from the public internet, so let me ask you: are your UCS DNS servers reachable from the internet? Or are you at least using your UCS DNS as a master server for publicly reachable DNS slave servers?

Hans · February 12, 2019, 3:10pm

Thanks for your input.

No, my DNS server is not reachable from the internet. Yes, I understand that I have to configure the dkim TXT recort at the DNS server of my hoster.

All I wanted to do is try out dkim internally before I configer the hoster’s DNS record.

Hans · February 23, 2019, 8:44pm

Just if anyone has similar problems:
I followed
https://www.cubewerk.de/2017/12/04/spf-und-dkim-mit-univention-ucs-server/
and especialle the work from
https://kofler.info/dkim-konfiguration-fuer-postfix/

In my configuration (kopano with activated amavis) every outgoint email was signed twice. I solved this by following:

I just added an additional line
-o smtpd_milters=
in
/etc/univention/templates/files/etc/postfix/master.cf.d/30_antivir
The relevant part now looks like:

127.0.0.1:10025 inet n	-		n	  -		  -	 smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_client_restrictions=
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o mynetworks=127.0.0.0/8
	-o smtpd_authorized_xforward_hosts=127.0.0.0/8
	-o strict_rfc821_envelopes=yes
	-o smtpd_error_sleep_time=0
	-o smtpd_soft_error_limit=1001
	-o smtpd_hard_error_limit=1000
	-o smtpd_milters=
	-o receive_override_options=no_address_mappings''' % {"maxproc": configRegistry.get("mail/antivir/max_servers", "2")}
@!@

You have to recreate the master.cf by
univention-config-registry commit /etc/postfix/master.cf

I added a
service postfix reload
to make sure that the new configuration really is active.