On Wed, Oct 15, 2025 at 09:39:29AM -0000, Stuart Henderson wrote:
> On 2025-10-14, Martijn van Duren <[email protected]> wrote:
> > On Tue, 2025-10-14 at 17:07 +0200, Jan Stary wrote:
> >>
> >> Should the pkg-readme of opensmtpd-filter-dkimsign be reviewed?
> >>
> > The main question has already been properly answered. As for this bit:
> > My main goal was to make it easy for people to generate and transform
> > keys with base-tooling, and not having to resort to obscure 3rd party
> > tools. And since the base commands were already there, it would be just
> > as easy to cast it into a a full record format.
> > The <selector>._domainkey.<domain> bit is imo a non-intrusive extra bit
> > to make sure that people know the right context to place the generated
> > text and can use that as an anchorpoint to study further.
> >
> > If you can think of a similar non-obtrusive way to document the split
> > I'm not going to complain, but keep in mind that:
> > - I think that for a "simple" tool as dkimsign, the README is already
> > quite large
> > - The administrator should do research on how the DKIM protocol works as
> > a whole. Your question goes for all DKIM implementations, and I'm
> > reluctant to put generic information in a dkimsign(8) specific README.
> > There's also no further explanation on the tags and how they should be
> > used.
> > - I don't want to assume nsd, and there are vendors out there whose
> > web interfaces split up the lines for you, and there might be other
> > tools out there who might do the same.
>
> This isn't an NSD thing, it's a DNS standards thing, and applies to
> every nameserver (nsd, bind, knot, powerdns, ..), some DNS providers
> preprocess things going via their web interface (some of them probably
> also take care of missing trailing . in names too) but other than that
> splitting TXT is necessary for 2048-bit keys.
>
> As the readme suggests that it produces a key "ready for dns" I think
> it should be mentioned.. One possible way:
>
> - doas -u _dkimsign openssl genrsa -out
> ${SYSCONFDIR}/mail/dkim/private.rsa.key 2048
> + doas -u _dkimsign openssl genrsa -out
> ${SYSCONFDIR}/mail/dkim/private.rsa.key 1024
>
> or another:
An example what a split TXT records looks like would be good,
-Otto
>
> Index: pkg/README
> ===================================================================
> RCS file: /cvs/ports/mail/opensmtpd-filters/dkimsign/pkg/README,v
> diff -u -p -r1.4 README
> --- pkg/README 15 Nov 2022 11:27:20 -0000 1.4
> +++ pkg/README 15 Oct 2025 09:36:53 -0000
> @@ -11,8 +11,12 @@ To generate the public key ready for dns
> openssl rsa -in ${SYSCONFDIR}/mail/dkim/private.rsa.key -pubout | \
> sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;'
>
> -This value needs to be placed in a DNS txt record with the following syntax:
> - <selector>._domainkey.<domain>
> +This value needs to be placed in a DNS TXT record with the following syntax:
> + <selector>._domainkey.<domain> IN TXT ( "v=DKIM1; k=rsa; p=XXXXXXXXXXXXX"
> + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ) ;
> +
> +(Individual strings in a TXT record may not exceed 255 characters, so for
> +2048-bit RSA keys this must be split among multiple strings).
>
> Edit the /etc/mail/smtpd.conf file to declare the filter:
>
> @@ -31,6 +35,10 @@ To generate the private key:
> To generate the public key ready for dns:
>
> printf "v=DKIM1;k=ed25519;p=%s\n" "$(doas -u _dkimsign openssl pkey
> -outform DER -pubout -in ${SYSCONFDIR}/mail/dkim/private.ed25519.key | tail
> -c +13 | openssl base64)"
> +
> +Keys are small enough that string splitting for TXT records is not required.
> +
> + <selector>._domainkey.<domain> IN TXT "v=DKIM1; k=ed25519;
> p=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> Edit the /etc/mail/smtpd.conf file to declare the filter:
>
>
>
