Domino DKIM public export has a trailing NUL char and DNS TXT entries should be in quotes
Daniel Nashed – 7 December 2024 11:42:05
While ago I wrote a small helper application to automate DKIM creation.
It performs all the steps needed from key creation to export and can also use the formula based CertMgr DNS API integrations (I rewrote the logic in Lotus Script, CertMgr has a C implementation).
When looking into my DNS TXT records on Cloudflare I noticed the missing quotes.
Cloudflare DNS detects they are missing and does provide them in the right way.
But they also show in their UI that the entries are not quoted.
Here is an entry in the right format:
"v=DKIM1; k=ed25519; p=8XEdKsnPk9HkHWKquLdfx5J7RqKh+4heMht3AjrmVU0=;"
keymgmt export DKIM DNS csi-domino.com ed20241206 csi_domino_com_ed20241206.txt
When adding the quotes in my application for generating the right DNS TXT entries I ran into an issue where Lotus Script was not able to add a quote at the end of the string.
Looking at the file showed the NUL char, which I have seen before on Linux when working with a customer.
Now this all makes sense to me and I understand the ^@ I have seen earlier at a customer.
My application first removes the NUL char when reading the Notes Stream and adds the quotes.
Here is how it looks like in Notepad and vi with the NUL char
Notepad++
vi
SPR #DNADDBPM94 DKIM exported TXT file contains NUL
There is a new SPR created yesterday, which will remove the trailing NUL.
In the meantime you should carefully look at the DNS TXT records. Having quotes around it in the TXT file is a convenience feature.
DNS TXT Records should be in quotes
The TXT file content is also not quoted. This is mainly because nobody really can say what certain DNS admin interfaces expect.
But the result should be always quoted.
Quoting gets more difficult when you have to manually split the entry because a DNS TXT record is limited to 255 bytes.
With a Ed25519 you are pretty safe and also a RSA 1024 key is OK. The fun begins with a RSA 2048 key.
I would anyhow recommend a Ed25519 and RSA 1024 in parallel. There isn't really a need for a RSA 2048 and you can risk software on the other side not getting the large DNS TXT record read.
My DKIM / DMARC setup database is still under test. Only a couple of people use it so far.
I just updated it to get the quotes properly read and written. And also the DNS TXT API I am borrowing from CertMgr now properly masks the quotes in JSON data.
Conclusion:
Usually customers have no automation for the process of creating those DNS TXT records and a DNS admin should know about adding the quotes.
It hit me because I took the file 1:1 and added the text to a DNS record using a provider API.
The NUL char mostly isn't a problem because when you copy & paste in an editor it should most times just go away.
Here are the key takeaways
- Be aware of the extra NUL char
- Add quotes around DNS TXT records
- You might need to split the data manually depending on your provider if the string exceeds 255 bytes
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}