DKIM on Peplink DNS


#1

Hi,

I have several Balance380s for my organization. We are trying to implement DKIM (to prevent forgery and authenticate our mail for better deliverability) but I can’t seem to get an entire public key into a text record for the Balance. From my understanding of DNS and UDP the packets are limited to 512 bytes and each character of ASCII uses one byte, limiting the entire return message (or question) to 512 characters. So the text record itself + the name of the text record should fit within that limitation otherwise the system would failover to TCP. I don’t really want to failover to TCP, and in any event, I don’t think that Peplink DNS supports TCP anyways. From what I can tell though Peplink simply truncates the record to 255 characters after I have pasted it into the web interface and saved the record. The RFC actually recommends 450 characters:

3.1.4. Record Size
The published SPF record for a given domain name SHOULD remain small
enough that the results of a query for it will fit within 512 octets.
This will keep even older DNS implementations from falling over to
TCP. Since the answer size is dependent on many things outside the
scope of this document, it is only possible to give this guideline:
If the combined length of the DNS name and the text of all the
records of a given type (TXT or SPF) is under 450 characters, then
DNS answers should fit in UDP packets. Note that when computing the
sizes for queries of the TXT format, one must take into account any
other TXT records published at the domain name. Records that are too
long to fit in a single UDP packet MAY be silently ignored by SPF
clients.

So how can I get a little closer to the maximum, which is exactly 400 characters + DNS name? I thought about lowering the key length from 2048 (which is what I would like) to 1024 (which is the smallest key gmail supports, for instance) but I was hoping to use the max- no particular reason other that it’s the max and I don’t want to have to touch it again once it’s set up.


#2

Hi,

With the current implementation limited to 255 the only workaround is limit your DKIM keys 1024 bit. I have forwarded this to engineering to see if this limit can be increased.

Thanks,
-Jonan
-Peplink


#3

Jonan,

Thanks for the reply. I will use 1024 to work around the limitation for now.

Brian