allow stronger dkim-keys / longer txt-records

Discussion in 'Developers' Forum' started by florian030, Sep 12, 2014.

  1. florian030

    florian030 Well-Known Member HowtoForge Supporter

    What do you think about let the admin set the key-length for dkim-keys?

    I could add a drop-down-list to server config / mail like this:
    normal - 1024
    high - 2048
    strong - 4096

    Using high or strong requieres longer txt-records, so dns_rr.data must be changed.

    This will not lead to problems with bind or dns in generall. In a txt-record each string is limited to 255 chars but according to RFC 4408 you can have more than one string inside a txt-record. This looks like
    (...) TXT ("first string"
    "second string")

    instead of

    (...) TXT "string"

    The dns returns a long string where are strings are joined without any ' " '.
    We can also allow longer strings for txt-records in generall, but there is not really a need for longer records and will also lead to change a lot of code to reformat the value. ISPConfig creates the txt-record for dkim automaticly or by using DKIM inside a dns-zone. I don´t see any other need for longer txt-records beside domain-keys.

    AFAIK there are two limitations regarding the "long string":

    In generall, every string is limited to 65535 bytes - but this should be not a problem.
    If you are using UDP-only for bind, the UDP-packetsize should not be greater than 512 bytes. There should be no problems on the user-side, but the firewall may block larger packets or the get fragmented on other network-layers (i´m not sure if this is nowadays relevant as ipv6 uses at least 1500 bytes).

    A public-key for a private-key-2048 has 392 chars and the private-key for 4096 has 736 chars. The upd-limits above should be no problem with a key-length 2048 (returns 392chars for the key + othe values for the txt-record).

    I think using TINYTEXT or TEXT for dns_rr.data should be enough and will work without any problems.

    This will also solve FS#2906
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Hi,

    we can increase the length of text records to 65535. The BIND Plugin supports already splitting of longer TXT records. The only problem that might happen is that servers that use MyDNS wont be able to use these longer records, but in such a case the users can update their systems to BIND.
     
  3. florian030

    florian030 Well-Known Member HowtoForge Supporter

    And what about the length for such records? I`m not sure if it will work with upd-connections.

    And can add some key-length to the dkim-signing and hide those values if mydns is used.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I dont see a problem as long as the key length is selectable. But we should use e.g. 2048 as default so that no problems can occur with UDP in the default setup.
     

Share This Page