[Dnsmasq-discuss] Using dnsmask for dkim, trying to patch dnsmasq

Simon Kelley simon at thekelleys.org.uk
Sat Aug 28 07:43:39 BST 2010

Thomas Carrié wrote:
> Hello,
> I am setting up a mail server with DKIM (exim4u).
> DKIM requires that I put the public key of my domain in a TXT record, so I add 
> in dnsmasq.conf
> txt-record=gamma._domainkey.sample.info,"v=DKIM1; t=y; k=rsa; 
> p=MIG1MA0GCSqGSIb3DQEBAQUAA4GjADCBnwKBlwxSuaM6ckdmIAHbz4KjlmUjmVxH6kMlaJi29fHa7lWonM0AWoBw9Pli/EULXHpVj71W6uJD/dGOQBlFjy0zOFBlR/yJU79rRqLwEPyDM8FoaLHHQWEcX/msoL5xjFS9R9l1+FJG5SmVVmQcyT0hgiyfW87xE3YhPspN6jnaukDYmzejGdivky9SowCrZWNgLtuxBjDaI20CAwEAAQ=="
> The problem is that dnsmasq rejects such a long record.
> I have changed the code (option.c) to accept longer TXT record, but then my 
> response headers are invalid, here are the messages I get from dig for my 
> patched dnsmasq
> $ dig @ gamma._domainkey.sample.info TXT
> ;; Warning: Message parser reports malformed message packet.
> ;; WARNING: Messages has 272 extra bytes at end
> When I capture the response with tcpdump, the DNS answer in incomplete, only 
> the first 10 bytes are here, I do not understand why, the UDP header says that 
> 338 bytes are supposed to be sent. The last byte of the DNS response is the 
> 3rd byte of the DNS TTL.
> Can someone explain me how is it possible to have mismatch between the UDP 
> length and the real content of the packet ?
> Hope I can have a response from author and community weither it is a good idea 
> or not to accept longer TXT record and to add DKIM capabilities to dnsmaq ?
> Thanks for your feedbacks

The reason for the limit is that the data is represented inside the DNS 
packet as a "counted string", ie a single byte giving the length 
followed by the characters of the string. That gives a hard limit on the 
length of a string of 255 characters. A single TXT record can hold more 
that one string, so it would be possible to automatically split a long 
string into 255-character chunks, RFC4870 section 9 seems to say that 
this is the correct thing to do.



More information about the Dnsmasq-discuss mailing list