Re: ***SPAM***] Public Key Quotes

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Tue, 9 Dec 2014 13:49:37 -0800 (PST)

On Tue, 9 Dec 2014, Steve Jenkins wrote:
> I noticed when looking at the public keys generated by opendkim-genkey that it's
> creating two sets of quotes, like so:
>
> default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
>          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDidoehaYkd35DIAvaobs10XM4Kp5Fc95FsCRaq
> jf9YraSrGeEYFLy3GFiIUa6tIhvO0JblZ04N0ZAfChnfeNNRTWuo7GT+YYPPHXqXlwS1/w/h+W8T5tb
> t0Ln8XrmDN2DlfQc3qrnXGhdIqc4DnKe3jbAfyIMXEzI0IYuu0+OoCwIDAQAB" )  ;
>
> For ease of copying and pasting the TXT entry into a web-based zone file form,
> is there any reason to not remove two of the quotes so that the file contents
> read:
>
> default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDidoehaYkd35DIAvaobs10XM4Kp5Fc95FsCRaqj
> f9YraSrGeEYFLy3GFiIUa6tIhvO0JblZ04N0ZAfChnfeNNRTWuo7GT+YYPPHXqXlwS1/w/h+W8T5tbt
> 0Ln8XrmDN2DlfQc3qrnXGhdIqc4DnKe3jbAfyIMXEzI0IYuu0+OoCwIDAQAB" )  ;
>
> ??
>
> Or would that violate the spec somehow?
>
> The latter is how I personally have my DNS records set up, and they seem to
> verify fine.

The RFC says a resolver finding several quoted strings is supposed to just
tack them all together again with no spaces in between, so generally it
shouldn't make a difference. The one thing to be aware of though is that
DNS has a hard limit of 255 characters between a single quote pair, so if
you reassemble them into a string bigger than that, things might not
behave properly.

The way opendkim-genkey works now is to put the "p=" (the key itself) in
its own string and the rest in another to try as hard as possible to avoid
that limit without actually breaking up the key. However, for
sufficiently large keys, that won't be enough.

The ideal thing to do would be to modify opendkin-genkey to break the key
up as well so that the chosen key size is never a problem. It also makes
it easy to fit the whole thing within 80 characters that way, which just
looks nicer. :-)

-MSK
Received on Tue Dec 09 2014 - 21:49:53 PST

This archive was generated by hypermail 2.3.0 : Tue Dec 09 2014 - 21:54:01 PST