DKIM Key Length

[sadwargamer]

Hi,

The DKIM key created is too long for the TXT entry field (limit 255 characters) - I understand that the latest version of cpanel uses 2048 key whereas a 1024 key from previous versions genertaed a key of 255 charcters or less.

As I cannot add a long TXT record can someone let me know who I can force WHM/Cpanel to use 1024 key size so I can create correct TXT entries.

Regards
Andy

 

[cPanelMichael]

Hello

Could you verify which version of cPanel is installed on your system? This should be addressed in cPanel version 11.50.

Thank you.

 

[sadwargamer]

Hi,

Yes I am on 11.50 but all new domains are created with the 2048 key - how can I change this to the 1024 key please.

thanks.

regards
andy

 

[cPanelMichael]

Could you verify why you can't add the long TXT record? For instance, do you mean you are adding it somewhere other than cPanel where the DNS is hosted? It should not be an issue adding it through cPanel.

Thank you.

 

[sadwargamer]

I need to add the DKIM as a TX record with my DNS provider and they do not support (currently) more than 255 characters otherwise of course I woudl use 2048...

I cannot be the only one in the world in this position

 

[cPanelMichael]

Hello

Internal case CPANEL-794 is open to address the improper handling of quotes and data length for TXT records (DKIM). You can monitor our change logs to see when this case has been resolved:

cPanel - Change Logs

Thank you.

 

[Pablo1981]

Has this been fixed yet?
I did not find the case in the logs!
This is urgent since it affects email!
Thanks

 

[cPanelMichael]

Internal case CPANEL-794 has not yet been released, but I do see activity on this case as recent as a few days ago. There's currently no exact time frame I can provide on when a resolution will be implemented, but please feel free to monitor our change log for the case number.

Thank you.

 

[dazeck]

Sorry to bump this thread, but I am having an issue with DKIM and I think it's due to this case number 794. Are we any closer to getting this resolved ? If not, how can we manually generate dkim and get email signing working. My old keys all work fine, but keys generated recently are failing and its for a new customer.

I get this when testing with verifier.port25.com

DKIM check details:
----------------------------------------------------------
Result: fail (signature doesn't verify)

 

[cPanelMichael]

but keys generated recently are failing and its for a new customer.

Could you verify if you have checked any alternate testing websites? You can also verify if the record appears with a command such as:

dig txt default._domainkey.domain.com @ns1.nameserver.com

Thank you.

 

[dazeck]

This appears to have rectified itself once I had logged a support ticket, typical. To get around this whilst waiting for the support team (the time difference doesn't help), I had to manually generate the keys. The following day, when disabled and re-enabled the DKIM setting against the account and checked using verifier.port25.com it verified ok. I have no idea why it wouldn't work one day then started to work the next.

 

[cPanelMichael]

I am happy to see the issue is now resolved. In general, it's a good idea to check via the "dig" command because third-party websites may use cached or incorrect methods of verifying the record.

Thank you.

 

[JamasWise]

If you are using Cloudflare, I finally found a work around. This might work for other DNS systems.

When cpanel displays the new longer keys on the email authentication screen it does so in the format that DNS system would do to maintain the 255 character limit of the TXT field. It does this by adding a quote " and space before the next part of the key. If you are pasting this into Cloudflare then strip out all the quotes and the space. Cloudflare when serving the record will split it. But if you paste it in split then it won't resolve correctly.

Hope this helps others.

 

[cPanelMichael]

Thank you for taking the time to provide a workaround for CloudFlare. I'm happy to see that addresses the issue.

 

[doekia]

humm, I feel really confused.

RFC-4408 - 3.1.3

As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
record (either TXT or SPF RR types) can be composed of more than one
string.
...
SPF or TXT records containing multiple strings are useful in
constructing records that would exceed the 255-byte maximum length of
a string within a single TXT or SPF RR record.

RFC-1035 - 3.3

<domain-name> is a domain name represented as a series of labels, and
terminated by a label with zero length. <character-string> is a single
length octet followed by that number of characters. <character-string>
is treated as binary information, and can be up to 256 characters in
length (including the length octet).

RFC-1035 - 3.3.14

TXT-DATA One or more <character-string>s.

RFC-1035 - 5.1

<character-string> is expressed in one or two ways: as a contiguous set
of characters without interior spaces, or as a string beginning with a "
and ending with a ". Inside a " delimited string any character can
occur, except for a " itself, which must be quoted using \ (back slash)

1/ I see no limit to 255 expressed "MUST" as part of the RFCs.
2/ Assuming there is one, it is 255, but cpanel build the strings as follow:

"v=DKIM1\; k=rsa\; p=first" "second\;"

With "v=DKIM1\; k=rsa\; p=first" been 260 characters.
Trail the quotes, count is 258 characters still.
Trail the back-quote (wonder why btw), count is 256 characters still.
ALL those characters count exceed 255 if it is a limit ?!?.

 

[cPanelMichael]

humm, I feel really confused.

Could you verify if you are using a third-party DNS provider to add the DKIM records, and if so, the name of that provider?

Thank you.

 

[havok89]

Has this been addressed yet?

I need to change the key length so that it fits with the limit on my DNS provider (fasthosts).

Just now the key is too long and like mentioned above it is broken with the quotation marks. the bit inside the quotation marks is 255 in length and would fit but I can't create the record with the second part after the split.

I can't find anything about how to change the key length, is it possible in cPanel, WHM or via SSH?

 

[cPanelMichael]

I need to change the key length so that it fits with the limit on my DNS provider (fasthosts).

We are considering options on how to best handle remote DNS providers that are not accepting the correct DKIM format (We provide a format that meets RFC standards). It's discussed on this thread:

How to Enter DKIM record into DNS Zone

Thank you.