[Dnsmasq-discuss] Using dnsmask for dkim, trying to patch dnsmasq
Simon Kelley
simon at thekelleys.org.uk
Sat Aug 28 07:43:39 BST 2010
Thomas Carrié wrote:
> Hello,
>
> I am setting up a mail server with DKIM (exim4u).
>
> DKIM requires that I put the public key of my domain in a TXT record, so I add
> in dnsmasq.conf
>
> txt-record=gamma._domainkey.sample.info,"v=DKIM1; t=y; k=rsa;
> p=MIG1MA0GCSqGSIb3DQEBAQUAA4GjADCBnwKBlwxSuaM6ckdmIAHbz4KjlmUjmVxH6kMlaJi29fHa7lWonM0AWoBw9Pli/EULXHpVj71W6uJD/dGOQBlFjy0zOFBlR/yJU79rRqLwEPyDM8FoaLHHQWEcX/msoL5xjFS9R9l1+FJG5SmVVmQcyT0hgiyfW87xE3YhPspN6jnaukDYmzejGdivky9SowCrZWNgLtuxBjDaI20CAwEAAQ=="
>
> The problem is that dnsmasq rejects such a long record.
>
> I have changed the code (option.c) to accept longer TXT record, but then my
> response headers are invalid, here are the messages I get from dig for my
> patched dnsmasq
>
> $ dig @127.0.0.1 gamma._domainkey.sample.info TXT
>
> ;; Warning: Message parser reports malformed message packet.
> ;; WARNING: Messages has 272 extra bytes at end
>
> When I capture the response with tcpdump, the DNS answer in incomplete, only
> the first 10 bytes are here, I do not understand why, the UDP header says that
> 338 bytes are supposed to be sent. The last byte of the DNS response is the
> 3rd byte of the DNS TTL.
>
> Can someone explain me how is it possible to have mismatch between the UDP
> length and the real content of the packet ?
>
> Hope I can have a response from author and community weither it is a good idea
> or not to accept longer TXT record and to add DKIM capabilities to dnsmaq ?
>
> Thanks for your feedbacks
The reason for the limit is that the data is represented inside the DNS
packet as a "counted string", ie a single byte giving the length
followed by the characters of the string. That gives a hard limit on the
length of a string of 255 characters. A single TXT record can hold more
that one string, so it would be possible to automatically split a long
string into 255-character chunks, RFC4870 section 9 seems to say that
this is the correct thing to do.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list