On 2025-10-14, Martijn van Duren <[email protected]> wrote:
> On Tue, 2025-10-14 at 17:07 +0200, Jan Stary wrote:
>>
>> Should the pkg-readme of opensmtpd-filter-dkimsign be reviewed?
>>
> The main question has already been properly answered. As for this bit:
> My main goal was to make it easy for people to generate and transform
> keys with base-tooling, and not having to resort to obscure 3rd party
> tools. And since the base commands were already there, it would be just
> as easy to cast it into a a full record format.
> The <selector>._domainkey.<domain> bit is imo a non-intrusive extra bit
> to make sure that people know the right context to place the generated
> text and can use that as an anchorpoint to study further.
>
> If you can think of a similar non-obtrusive way to document the split
> I'm not going to complain, but keep in mind that:
> - I think that for a "simple" tool as dkimsign, the README is already
> quite large
> - The administrator should do research on how the DKIM protocol works as
> a whole. Your question goes for all DKIM implementations, and I'm
> reluctant to put generic information in a dkimsign(8) specific README.
> There's also no further explanation on the tags and how they should be
> used.
> - I don't want to assume nsd, and there are vendors out there whose
> web interfaces split up the lines for you, and there might be other
> tools out there who might do the same.
This isn't an NSD thing, it's a DNS standards thing, and applies to
every nameserver (nsd, bind, knot, powerdns, ..), some DNS providers
preprocess things going via their web interface (some of them probably
also take care of missing trailing . in names too) but other than that
splitting TXT is necessary for 2048-bit keys.
As the readme suggests that it produces a key "ready for dns" I think
it should be mentioned.. One possible way:
- doas -u _dkimsign openssl genrsa -out
${SYSCONFDIR}/mail/dkim/private.rsa.key 2048
+ doas -u _dkimsign openssl genrsa -out
${SYSCONFDIR}/mail/dkim/private.rsa.key 1024
or another:
Index: pkg/README
===================================================================
RCS file: /cvs/ports/mail/opensmtpd-filters/dkimsign/pkg/README,v
diff -u -p -r1.4 README
--- pkg/README 15 Nov 2022 11:27:20 -0000 1.4
+++ pkg/README 15 Oct 2025 09:36:53 -0000
@@ -11,8 +11,12 @@ To generate the public key ready for dns
openssl rsa -in ${SYSCONFDIR}/mail/dkim/private.rsa.key -pubout | \
sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;'
-This value needs to be placed in a DNS txt record with the following syntax:
- <selector>._domainkey.<domain>
+This value needs to be placed in a DNS TXT record with the following syntax:
+ <selector>._domainkey.<domain> IN TXT ( "v=DKIM1; k=rsa; p=XXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ) ;
+
+(Individual strings in a TXT record may not exceed 255 characters, so for
+2048-bit RSA keys this must be split among multiple strings).
Edit the /etc/mail/smtpd.conf file to declare the filter:
@@ -31,6 +35,10 @@ To generate the private key:
To generate the public key ready for dns:
printf "v=DKIM1;k=ed25519;p=%s\n" "$(doas -u _dkimsign openssl pkey -outform
DER -pubout -in ${SYSCONFDIR}/mail/dkim/private.ed25519.key | tail -c +13 |
openssl base64)"
+
+Keys are small enough that string splitting for TXT records is not required.
+
+ <selector>._domainkey.<domain> IN TXT "v=DKIM1; k=ed25519;
p=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Edit the /etc/mail/smtpd.conf file to declare the filter:
