DA's DKIM script needs to be updated

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Maybe DA Staff can do something like this.. but.. have no sense at all.. higher key bit is for higher security.. so.. why someone should decide to have a lower secure key?

The post you linked is the post i did reply to...

Re-read what i did ask.. and be sure to correctly paste the key (one line, for be sure paste in notepad before paste elsewhere so you're sure you're doing it right).

Regards
 

mangelot

Verified User
Joined
Jan 11, 2007
Messages
61
Location
Enschede, Netherlands
"powerdns is and mysql nameserver that is getting the records throught AXFR notifications" No manual input ! :D

it is receiving by notify its records, but if the /var/named/domain.db TXT records uses quote's or space or newlines.
It is also getting that into the powerdns database by AXFR notify including the quotes spaces newlines resulting in wrong records !
 

mangelot

Verified User
Joined
Jan 11, 2007
Messages
61
Location
Enschede, Netherlands
Ok, now i get it :) mmh, how powerdns get notificated?
more info about powerdns notify see this url.
http://www.directadmin.com/forum/archive/index.php/t-24888.html


I also found a solution for the 2048 bits not working on powerdns
powerdns database >> Table >> content has SQL Varchar 255
changed it to TEXT and now has no more limit for 255 characters
seems to quick fix this issue,

Now we have to find a solutions for the quotes and spaces problem...
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
There is nothing that useful on link provided.

There is no written how do you transfer zones from DA to PowerDNS.. probably that's the point.. knowing that maybe would be easyer to understand how prevent that quotes provoke errors...

Regards
 

mangelot

Verified User
Joined
Jan 11, 2007
Messages
61
Location
Enschede, Netherlands
Yes there is:

3) Edit the BIND configuration file on both servers to accept DNS zone transfers...

Add the following in the /etc/bind/named.conf.options file on server1 - somewhere in between the options { }; tags:



notify explicit;
also-notify { 192.168.0.2; };
allow-notify { 192.168.0.2; };
allow-transfer { 192.168.0.2; };
DNS Notify is a mechanism that allows master nameservers to notify their slave servers of changes to a zone's data.
In response to a NOTIFY from a master server, the slave will check to see that its version of the zone is the current version and, if not, initiate a transfer.

So I notify two powerdns servers configured with the supermaster function. (the powerdns servers can both act as master or slave)
 
Last edited:

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,919
Hello,

Two things:

1) To disable DA's wrapping, I've added a new option:
http://www.directadmin.com/features.php?id=1395

I'll upload a new set of pre-release binaries within a few days with this change.


2) If you want a smaller key, change the script that creates the key:
Code:
cd /usr/local/directadmin/scripts/custom
cp ../dkim_create.sh .
and edit the custom/dkim_create.sh and change 2048 to 768, eg:
Code:
openssl genrsa -out ${PRIV_KEY} [b]2048[/b] 2>&1

I believe the 768 size will still get wrapped if the line wrapping is enabled... so you might as well leave the script along (keep 2048) and just disable line wrapping.. but only disable the wrapping if you're NOT using named/bind.
A 2048 TXT value will crash it, which was the whole point of adding it.


Also note, that a chopped up TXT value in quotes is actually valid in the reply, eg, this is a valid return (all one line):
Code:
;; ANSWER SECTION:
x._domainkey.domain.com.   14400    IN      TXT     "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr2BjFOW9UR1zrAq1vRd7RoL3tYdDG5lBuBcRevcdF7BZwgCVGbi+1pjxLk70X25HGL11FEWvtAteC02O1dZp[b]EXm" "4HH[/b]dups9YFA794+bXClW4Ne+IojDhxY7nqVorOjrb7GejvECCXJWuNbsnBQG4YWXMQE745rxVT4zyPzqFznGBmxUXUmtzyHALqbrkffl7DfXX2gy+86ZTojHawdUUiOQT8S4y29HH4bS/ou/oaa[b]dIl" "umq[/b]jUUKBCrvm213l8NAYoy/YWZJjHoL2r7Hs3ZLiUjhN52S4nSgj9+UD9DRaK3IJRyU6zyD+1KSaFyyQO24uUSN136BvUwVxbWqhY/fnwIDAQAB"
John
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,453
I am working on enabling dkim on all domains including server hostname. I have two questions:

1: I am doing this: http://www.directadmin.com/features.php?id=1189 - when I add it for the server host name like this:

Code:
cd /usr/local/directadmin/scripts/
./dkim_create.sh server.hostname.com
Then it seems like everything is added. But in the guide at http://www.directadmin.com/features.php?id=1189 it says this:

Take out the ---- lines and all newline characters when adding it to dns.
However after I run ./dkim_create.sh server.hostname.com - it seems to have done that and everything for me? In DirectAdmin control panel when I go to DNS manager page for the server hostname, both x._domainkey and _domainkey is already added. So I am confused why the guide say that I should add anything manually like quoted above? Is there anything more to do like the guide say?

2: To check my DKIM setup I go here: http://dkimcore.org/tools/dkimrecordcheck.html - but what should I add in the "Selector:" text field?
 

mangelot

Verified User
Joined
Jan 11, 2007
Messages
61
Location
Enschede, Netherlands
question 1..

No idea, why its written there, but it seems to me that if the key is generated everything is just fine.. (there is no public.key without the ---- needed in dns)

Question 2..

Selector: is "x" without the quote's (x._domainkey.domain.com)

Wait a few hours for the dns records to resolve first ...
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,453
Thanks! I tested and it says: "This is a valid DKIM key record"

However when I send a email to myself (to another email address on the same domain name that I am sending from), I do not find any dkim Signature in the header of the email I receive. And when testing against sending to my private Gmail adress, it is not delivered, but I think it is becuase some delay in GMail. But it make me nervous.

If you will let me send you a test email, then you can check my headers? If so, please pm me your email address.

I have added this to etc/exim.conf:

Code:
driver = smtp
dkim_domain = $sender_address_domain
dkim_selector = x
dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
dkim_canon = relaxed
dkim_strict = 0
And also restarted exim afterwords.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,453
I have now tested using this test: http://www.appmaildev.com/en/domainkeys/

The result I get say that:

============================================================
DomainKey result: none (no signature)
============================================================


============================================================
DKIM result: pass
============================================================

What could be wrong? I am running the newest exim version. And I have added this to etc/exim.conf and restarted exim:

driver = smtp
dkim_domain = $sender_address_domain
dkim_selector = x
dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
dkim_canon = relaxed
dkim_strict = 0

I am lost as of why the signature is not added to the email header? (Edit: I sent the test email with smtp on port 587)
 
Last edited:

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,453
Wow. Now I am confused. I just received one of my test emails that I sent to my private gmail address (it was delayed), but the header does contain the DKIM-Signature in that email. So I don't know why it was missing from the test that I did on http://www.appmaildev.com/en/dkim/ - could missing email header be related to dns propagation? Strange!
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,453
Nevermind. The test at http://www.appmaildev.com/en/dkim/ seem to be wrong. I sent a test email from a gmail address to it, and also then it reported that:

============================================================
DomainKey result: none (no signature)
============================================================

So it works anyway.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,453
The only issue I can see right now.. is that the record is so long that it makes the tables very ... very ... wide.
For now, it's not a major issue as it "works".. but we'll need to decide what's best to make it look nicer:
[..]cut[..]
Suggestions/input welcome.
I suggest that you use inline css to set a max-width on the td, and then use additional css to make the line break. I have done this in my custom built theme:

Code:
|$/usr/local/bin/php
<?php
$data = <<<END
|DNS_ROWS|
END;
$data = str_replace("FONT-SIZE: 8pt; FONT-FAMILY: courier new;", "max-width:450px;word-break:break-all;word-wrap:break-word;", $data);
echo $data;
?>
DONE|
Please note that I use both word-break:break-all; and then word-wrap:break-word; - the first one is for Internet Explorer, and the next one is for Firefox and Opera. This is so that it works correct in all the big browsers. Of course you would adjust the max-width value when using it in enhanced or any other theme. The important is that max-width is small enough, if you set it to small, it still works fine. Actually it would work fine also when you set it to only 10px, it would still use the space available. :)

I have asked for it before, but please let me ask again: Please in the future make more of the html code available without being encrypted. It is not possible for me to do all I want when you have hardcoded html tables like for example in |DNS_ROWS| - if possible please make more of the html available in the theme in the future so we don't have to "hack it like this". :)
 
Last edited:

Maniak

Verified User
Joined
Aug 25, 2004
Messages
220
Location
Switzerland
It seems to me, that this doesn't work
when you are using directadmin with powerdns (supermaster)
this dkim_create.sh only works when the ssl is 768 bit en not 2048 for powerdns
Any suggestions?
How long is the column "type" and "content" of table records of your PowerDNS database? I've seen a lot of poorly configured PowerDNS servers out there who had copy-pasted the MySQL structure from some blogs without taking care to know what it does. If you can't replicate 2048 bits keys, you most likely have 6 for "type" and "255" and should have 10 for "type" and 64000 for "content" columns instead, in table records.

Gregory
 
Last edited:

Raimo

Verified User
Joined
Oct 7, 2009
Messages
25
I succesfully enabled DKIM by this (http://www.directadmin.com/features.php?id=1189) how-to, but when checking with http://dkimcore.org/c/keycheck i get the following problem.
It detects the TXT record as: v=DKIM1 k=rsa p=MIIBIjAN....
But it is unable to parse the v, k or p key. It says:
This is not a good DKIM key record. You should fix the errors shown in red.

In the beginning the TXT record in the DNS zone was setup like :
domain.com. 3600 IN TXT "v=spf1 a mx ip4:xxx.xxx.xx.xx ~all"
_domainkey 3600 IN TXT "o=~"
x._domainkey 3600 IN TXT ( "v=DKIM1 k=rsa p=MIIBIjAN...." )

The p key is on multiple lines, but that should be ok when using ().
I modified the DNS to:
x._domainkey 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjAN...." )
which seemed to help because the v and k keys were now parsed correctly, but for the p= key it gives the error "the string must be base64 encoded". I'm clueless about that.
 
Last edited:

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,453
I think you are typing the wrong thing in the text field "Selector:" at http://dkimcore.org/tools/keycheck.html - just put: x in the "Selector" text field, and then your domain name in the next text field. When I do that, it says:

This is a valid DKIM key record

This TXT record consists of multiple strings. This is valid, and can't be avoided in this case.
 

Raimo

Verified User
Joined
Oct 7, 2009
Messages
25
I am putting x as selector.
Can you paste your TXT record from the zone file?
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,453
Here you go, I have kept / and + in the key, replaced the rest with REMOVED:

Code:
_domainkey	14400	IN	TXT	"o=~"
domain.com.	14400	IN	TXT	"v=spf1 a mx ip4:11.111.111.111 ~all"
x._domainkey	14400	IN	TXT	( "v=DKIM1; k=rsa; p=REMOVED+REMOVED"
					"REMOVED/REMOVED+/REMOVED"
					"REMOVED++REMOVED/REMOVED/REMOVED/REMOVED" )
 
Top