DNS Email System Administration Technical

DKIM TXT Records in DNS exceeding 255 characters

Wow. It’s 2009, and apparently DNS can only support reading configuration file lines which are not greater than 255 characters. I received the following error in my system log when I was setting up DKIM entries:

MarĀ  5 15:23:44 web4 named[66731]: dns_rdata_fromtext: domain.dns:16: ran out of space

Problem is, the entire domain is then borked. That is, if domain.dns contains all of the DNS records for, this error makes the domain not found at all. Whoops.

# host
Using domain server:

Host not found: 3(NXDOMAIN)

Doh. Turns out, the syntax for including multi-line TXT records in named.conf is slightly obscure, but thanks to the folks at SFR Fresh, which hosts an open-source DKIM Milter, the syntax isn’t that difficult to master. In short, you include the text record by breaking it into smaller strings, and enclosing the whole thing with parenthesis.

For example: IN TXT “a really long string as an example”

Becomes IN TXT ( “a really long str”
“ing as an example” )

You get the idea.

Apparently DNS can support TXT records up to 65535 characters, but I’d say except in the cases of DKIM records, it’s rare to need this much data for a DNS record.

4 replies on “DKIM TXT Records in DNS exceeding 255 characters”

I found the solution to this same issue was using PEM format and openssl rather than ssh-keygen and -t dsa. eg:

openssl genrsa -out 1024

openssl rsa -in -out -pubout -outform PEM

Try and keep the entire payload (Q and A etc) under 512 bytes – that’s the max that can fit into a UDP DNS packet, and falling back to DNS over TCP will probably slow stuff down like crazy, if not totally break many things.

Comments are closed.