BIND DNS Server won't start after installing and enabling DKIM

24 posts / 0 new
Last post
#1 Fri, 10/15/2010 - 22:53
sentient

BIND DNS Server won't start after installing and enabling DKIM

Hello,

Today I installed and enabled DKIM feature on my CentOS 5.5 64-bit Server and it turns out that the DNS server won't start now. Here is the error message that I get:

Failed to re-start service : Failed to start BIND : Starting named: Error in named configuration: dns_rdata_fromtext: /var/named/exampledomain.info.hosts:23: ran out of space zone {zone name}

I searched the internet and this forum to see if this issues has already been addressed by someone before, but I couldn't find anything, so it's possible that there is something wrong with my server.

Any help is appreciated. Thanks.

Mon, 10/18/2010 - 02:16
tabado

The problem comes from the length of the txt record with public key in BIND. I tried to split these in multiple lines and solved the problem but when I have made a change on DKIM settings in Virtualmin, the splitted records were joined.

I don't know where can I change the length of the new keys, but this would be the solution.

Mon, 10/18/2010 - 07:14 (Reply to #2)
trastevere

The problem is that virtualmin is using a 2048-bit strong rsa key, so the public key gets very long. This is just not necessary, a 1024-bit key is more than sufficient. Some servers are using even a 256-bit encription.

So the question is, where can be set to use a 1024-bit key. Is there a setting in some config file where this value can be modified, or is hard-coded inside virtualmin?

At this point the integrated DKIM is just unusable. Take care at every account creation of splitting the public key inside DNS record is not a solution.

It would be great if this small isue get solved, othervise we have to use DKIM set manually outside virtualmin.

Mon, 10/18/2010 - 07:15 (Reply to #3)
trastevere

The problem is that virtualmin is using a 2048-bit strong rsa key, so the public key gets very long. This is just not necessary, a 1024-bit key is more than sufficient. Some servers are using even a 256-bit encription.

So the question is, where can be set to use a 1024-bit key. Is there a setting in some config file where this value can be modified, or is hard-coded inside virtualmin?

At this point the integrated DKIM is just unusable. Take care at every account creation of splitting the public key inside DNS record is not a solution.

It would be great if this small isue get solved, othervise we have to use DKIM set manually outside virtualmin.

Mon, 10/18/2010 - 09:30
andreychek

I asked Jamie to take a look at your comments... in the meantime, I'll offer that it should be possible to have Virtualmin automatically generate the keys across multiple TXT records if that's indeed the only issue going on (Jamie will be able to comment more on that).

You're right that some servers use 256 and 512 bit keys, but that looks like it's a bit too insecure.

This Cisco blog entry has a pretty good writeup on all that, including a distribution of DKIM key sizes used on the Net today:

http://blogs.cisco.com/security/key_lengths_for_dkim_signatures/

Mon, 10/18/2010 - 11:47 (Reply to #5)
JamieCameron

You can adjust the size of the key Virtualmin generates at System Settings -> Virtualmin Configuration -> SSL settings -> Default SSL key size , although this applies to regular SSL certs too.

I will limit this to 1024 bits for DKIM in future..

Eric - are you sure it is possible to split a DKIM key across multiple TXT records?

''

Mon, 10/18/2010 - 13:31 (Reply to #6)
trastevere

Thank you for your response!

I've changed the SSL key size to 1024 and now is working fine.

Mon, 10/18/2010 - 12:05
andreychek

are you sure it is possible to split a DKIM key across multiple TXT records?

Hmm, I've never tried any of this, but the best reference I have for how this might work is this text from an older copy of the opendkim installation guide:

http://webcache.googleusercontent.com/search?q=cache:aaajQ645FVIJ:www.op...

If you wish to use a large key in DNS, there are some limitations of which
you should be aware.  A TXT record in the DNS consists of a series of
strings each of which don't exceed 255 bytes.  This is a result of the
fact that each string is preceded by a length byte (which, of course,
can't exceed 255).  Furthermore, some DNS implementations don't allow
packets larger than 512 bytes.  Some RSA keys will exceed the 255 byte
limit once encoded with base64, so some special formatting must be
used to make such a record fit.  Failing to do so can cause an incomplete
record to be published or, worse, the nameserver to refuse to serve the
record or even the entire zone.

In the case of the BIND nameserver, there are two syntax rules one can use
to make a large record fit within these boundaries:

1) TXT substrings

Instead of a record like:

recname IN TXT "foobarbazblivitalphabravocharliedelta...zulu"

...one can also do:

recname IN TXT "foobar" "baz" "blivit" "alpha" ... "zulu"

(The "..." is mean to indicate continuation and is not a literal set of
three "." characters.)

You simply have to break up the large record into smaller strings such
that no string exceeds 255 bytes.  DKIM implementations will
reassemble TXT records broken down this way into the full original
single string before processing them.

2) Line continuations

It can be difficult for some to edit very long lines of text.
It's therefore desirable to have a mechanism to break very long
TXT records down so that they fit nicely within an editor window.
In BIND, this is done by enclosing the wrapped lines within
parentheses.  Continuing with the example above, this:

recname IN TXT "foobar" "baz" "blivit" "alpha" ... "zulu"

...can also be expressed as:

recname IN TXT ( "foobar" "baz" "blivit" "alpha"
  "bravo" "charlie" "delta" "echo"
  ...
  "yankee" "zulu" )

So using these two techniques, a very large public key could be encoded
in a DNS zone file as follows:

recname IN TXT ( "v=DKIM1; g=*; k=rsa; "
  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z4F"
  "JEMHjJDuBmt25zvYFVejlARZGt1L8f0s1+rLxIPYkfCogQi+Y8"
  "oLEg9vvEKnLx9aogZzuNt6j4Sty3LgXxaIwHnMqk0LldbA/mh3"
  "wLZb16Wc6btXHON0o3uDipxqGK2iRLTvcgAnNDegseOS+i0aJE"
  "nNSl663ywRBp/QKezhUC7cnbqR/H8dz8pEOjeawNN3nexdHGsk"
  "+RaafYvCFvU+70CQORcsk+mxb74SwGT2CGHWxVywQA9yrV+sYk"
  "JpxaufZLo6xp0Z7RZmbf1eGlCAdhkEy+KYQpQkw2Cdl7iKIK4+"
  "17gr+XZOrfFLJ5IwpVK/a19m3BLxADf0Kh3oZwIDAQAB" )

So that doesn't appear to be multiple TXT records so much as it is a single record broken into multiple chunks :-)

-Eric

Mon, 10/18/2010 - 12:45 (Reply to #8)
JamieCameron

Ok, thanks .. for now I will just lower the key size, but will look into splitting it across multiple TXT strings in future if needed.

''

Mon, 10/18/2010 - 14:48
sentient

Thank you all for great responses, changing the SSL key size to 1024 does fix the DNS issue. However I'm still not seeing anything in e-mail headers that would indicate that the DKIM is working, is it maybe supposed to take some time for the DNS records to propagate?

Mon, 10/18/2010 - 16:06 (Reply to #10)
JamieCameron

You should see a DKIM-Signature: header added to all outgoing email .. although you will need to check for this on the recipient's system, as you won't see it in your "sent mail" folder.

If it is not showing up, check your mail log file /var/log/maillog or /var/log/mail.log for messages from postfix or the dkim-filter about why the header couldn't be added..

''

Mon, 10/18/2010 - 17:18
sentient

The DKIM-Signature: header is still not being added to outgoing email messages, even though the setting is enabled. I have checked my /var/log/maillog and there is nothing in there at all about headers or why they couldn't be added. In fact words "header" or "headers" don't even exist in that log file. Am I the only one with this problem?

Mon, 10/18/2010 - 18:53
sentient

I figured out what the problem is, I have these two lines in my /etc/postfix/header_checks file:

/^received: / IGNORE /^X-Sender: / IGNORE

I need those to hide sender's IP and host name. The reason why is because my dynamic IP on my T-Mobile phone changes very often, and most of the time I get an IP address that's blacklisted in spamhaus databases and as a result I can't send any e-mails from my phone because they all end up in spam folder. So I had to find a way to hide the IP address of the sender.

DKIM header is being added to outgoing e-mails when I remove those lines. I guess I'm going to have to choose between hiding my phones IP address and DKIM.

Thank you all.

Tue, 10/19/2010 - 19:28 (Reply to #13)
sgrayban
I need those to hide sender's IP and host name.

There used to be a setting to not include the sending IP but I do not see this anymore.

Tue, 10/19/2010 - 18:58
sgrayban

Changing the key size is not working for everyone. I manage a couple dozen servers and all of them are having issues with the DKIM key size.

Tue, 10/19/2010 - 19:25
sgrayban

I just went through 2 days of testing on this issue and this is what I found....

First if you are using sendmail you must have this milter running last or the signature will break.

Second only a 1024 key will work anything higher will break bind and lower like 512 will not pass.

Now if you do want to use 2048, which I do recommend, the key has to be split on multi-lines something that VM is not doing currently. You will have to do this manually.

And the last thing I found is that if you force a new private key, when setting a new SSL key size, it doesn't seem to write the new key out so you will need to delete /etc/dkim.key

Tue, 11/02/2010 - 18:58
crocman

Today I enabling DKIM within CentOS 5.5 i386; big mistake.

What a headache!

Everything that seems to work for the previous posts is not exactly working out for me because my Binder DNS is out and no response no matter what I try as previously mentioned above.

One thing is for sure after all these problems I may have a small fraction of experience with Virtualmin.

I am getting at boot; dns_master_load: syntax error; unknown 2010._domainkey although I previously changed to 1024 bits as well as deleting the /etc/dkim.key before trying again.

Anyone have an idea?

Thanks

Tue, 11/02/2010 - 21:24 (Reply to #17)
andreychek

Yeah, there's some issues with the DKIM implementation ATM... my suggestion might be to disable DKIM until the next Virtualmin version comes out (which I think will be this week!).

The next release should have those issues resolved :-)

-Eric

Wed, 11/03/2010 - 11:02
crocman

After viewing my boot up failed warnings I went back in and removed the DKIM records from my domains /var/named/.hosts files as well.

Then I went back into my Domain Keys ID to reset for the 1024bit previously configured settings.

Now the Binder DNS works.

Mon, 11/08/2010 - 14:23
sentient

I found another problem with DKIM which may or may not be caused by DKIM its self. For some reason Joomla website is unable to send an e-mail created by Joomla's contact form. The e-mail gets stuck in Postfix's mail queue and it will just stay there until the DKIM is disabled.

Anyone else ran into this?

Tue, 11/09/2010 - 00:15 (Reply to #20)
tabado

I also observed this problem.

Tue, 11/09/2010 - 09:14
andreychek

The e-mail gets stuck in Postfix's mail queue and it will just stay there until the DKIM is disabled.

Do you guys see any errors in your mail logs while those messages are sitting in the Postfix queue?

Also, the way DKIM functions was reworked a bit changed in Virtualmin 3.82 -- which should hopefully have fixed some issues. Were your DKIM settings generated with the most recent version of Virtualmin?

-Eric

Tue, 11/09/2010 - 13:47
sentient

I have not checked the mail log, I doubt I would know what to look for, and yes, this is happening on version 3.82

Tue, 11/09/2010 - 15:04
JamieCameron

Anyone who is planning on setting up DKIM on Debian or Ubuntu should hold off until the 3.82-2 release of Virtualmin comes out, as I just discovered a bug that can cause the deleting of the /etc/default directory. Or you can enter something other than default for the selector name .. I recommend the current year, like 2010

''