DKIM field only 512 chars; need the instructions for using tokens to fill the field

December 22, 2017 627 views
DNS CentOS

I've attempted to fill the TXT field in my DNS for the DKIM key. I'm getting a message that the field can only be 512 characters. These days you need a 2048 key. (1024 uses to be good enough) Anyway, there is a procedure to use tokens to fill in DNS fields in order to get around the problem. I was given this once by tech support and neglected to save it. I found a link for web page for the procedure, but apparently Sammy the Whale ate the page.

So I need the procedure to file a TXT field in DNS using a token. My recollection is you used curl from your server to do this, or maybe your PC.

1 Answer

I spent a while hacking on this and figured out the tricks. Hopefully this will save the next person an hour or two of head banging.

First, get a token from Digital Ocean. Go to your control panel. Click on API. Turns out my old token was still there. Anyway, generate a new token. You need to save this on your local PC, not your droplet. (Technically save it where you will be running curl, which probably is your local PC.) You can always go back to the control panel and regenerate the token by clicking on edit and following instructions.

The instructions to edit a DNS are found here:
DNS API instructions

Note there is a curl example at the right side of the page. However it is not for entering the dkim parameter. What I did is read the instructions and changed the example for entering the dkim parameter. But there is a catch. The p parameter of the dkim public will run over several lines. If you used opendkim-genkey, there will be continuations and such. In theory you could use them as is, but I couldn't get the api to work. What I suggest is using an editor (vi nano etc) to create a file containing the curl command and run it using sh. I called mine feed_dkim. Here is a sanitized version of the file. (fake key, domain, etc.) What you want to make sure is your quoted fields look like mine, that is no nested quotes. The output of opendkim-genkey will add quotes that you don't need.

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer tokengoeshere" -d '{"type":"TXT","name":"default._domainkey","data":"v=DKIM1; k=rsa; s=email; p=nPnay721k2ApKmCXeg9DZgcZE4yr5Vw8P2nd3NeLSHYEuflTN0osXODUmFLqSxHnPnay721k2ApKmCXeg9DZgcZE4yr5Vw8P2nd3NeLSHYEuflTN0osXODUmFLqSxHnPnay721k2ApKmCXeg9DZgcZE4yr5Vw8P2nd3NeLSHYEuflTN0osXODUmFLqSxH","priority":null,"port":null,"ttl":1800,"weight":null,"flags":null,"tag":null}' "https://api.digitalocean.com/v2/domains/mydomain.com/records" 

Things to change:
1) Replace tokengoeshere with your token
2)The field after "name" is your key selector. I'm using tables, so I left it as default. (This depends on your opendkim setup.)
3) The field after "data" is your key. The p field is the long one. If you see slashes in your generated key, those are continuations. You need to delete them, basically getting the p field to be one long string
4) Change mydomain.com to whatever your domain is.

I used vi to create the feed_dkim file. You should verify the file is one long line. Use the up/down arrow keys. If you have multiple lines, control J will join them.

On your PC:
sh feed_dkim

and hope for the best. There will be an error message if it bombs. You can go to your control panel and look at the results.

Since this is a DNS field, you will have to wait for DNS propagation. Once the field propagates, use this website to test your dkim.
dkim validator

Have another answer? Share your knowledge.