One line DKIM entry

[link2xt]

Generating our own DKIM entry as it is easy to do without opendkim-genzone and single line is easier to copy-paste for admins who are using DNS providers with bad web interfaces that require copy-pasting DNS values into single-line fields.

Based on #186

[link2xt]

Previously entry looked like this:

$ dig +short TXT opendkim._domainkey.c20.testrun.org 
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2K6P62IHIe6gr" "AS/uTRaL9rvjpy7NFqF/Wy53V8TDrklOEetTWiA27I1lQeRbQqlERiFbSQWZQrBlQr" "ArurnD113LLgduxDNJKeFK9m9QGilQcnHo2UUmm8WCQBtoMbGNk+LQwOE1/9GvPNQt" "YZUUd0qjK7TEOU/9wZJbad7HGxBX+sh/DfJ42gLEbkcOiEf1iq8M1nqmrz8k4V1hJj" "uLZeVv5CzBfEO4lN65YbkE/sc2LoxPson0RyM1KB7faHYbDsTT6U+Ti4rQb0PJfGRa" "7DCY0xrEtbXsdzexVdYcDKu8PAM59m6p7RYOPim5rNuz7y8yC0VpgFUadbNSJclhwI" "DAQAB"

Now:

"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2K6P62IHIe6grAS/uTRaL9rvjpy7NFqF/Wy53V8TDrklOEetTWiA27I1lQeRbQqlERiFbSQWZQrBlQrArurnD113LLgduxDNJKeFK9m9QGilQcnHo2UUmm8WCQBtoMbGNk+LQwOE1/9GvPNQtYZUUd0qjK7TEOU/9wZJbad7HGxBX+sh/DfJ42gLEbkcOiEf1iq" "8M1nqmrz8k4V1hJjuLZeVv5CzBfEO4lN65YbkE/sc2LoxPson0RyM1KB7faHYbDsTT6U+Ti4rQb0PJfGRa7DCY0xrEtbXsdzexVdYcDKu8PAM59m6p7RYOPim5rNuz7y8yC0VpgFUadbNSJclhwIDAQAB;s=email;t=s"

Hetzner seems to have split single line with one " " in the middle anyway, so we need to make our comparison tolerate this or split our single line in shorter strings if there is a good reason for this.

[link2xt]

Would be also nice to use ed25519 keys (https://datatracker.ietf.org/doc/rfc8463/) but maybe they are not that widely supported yet. Otherwise ed25519 keys look very nice and much easier to deal with, you can check some examples at https://www.mailhardener.com/kb/how-to-use-dkim-with-ed25519

There are reports that it is not supported yet by any large email provider:
https://serverfault.com/questions/1023674/is-ed25519-well-supported-for-the-dkim-validation

Signing with both will just make outgoing messages larger.

[missytake]

What's the state of this PR? I changed the base branch to main, as we merged #186... but this branch contains the outdated cd3aa73 commit and would work better without it, I guess?

[link2xt]

I rebased it, you can test it.

[missytake]

Hm, the zonefile is not written properly, nsd throws an error in the CI: https://github.com/deltachat/chatmail/actions/runs/7717289390/job/21036055628?pr=187

but cece3dc is no proper fix either, it results in this faulty DNS record:

$ dig @ns.testrun.org TXT opendkim._domainkey.staging.testrun.org

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @ns.testrun.org TXT opendkim._domainkey.staging.testrun.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37353
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;opendkim._domainkey.staging.testrun.org. IN TXT

;; ANSWER SECTION:
opendkim._domainkey.staging.testrun.org. 300 IN	TXT "v=DKIM1"

;; AUTHORITY SECTION:
staging.testrun.org.	300	IN	NS	ns.testrun.org.

;; Query time: 52 msec
;; SERVER: 65.21.248.64#53(ns.testrun.org) (UDP)
;; WHEN: Wed Jan 31 00:26:08 CET 2024
;; MSG SIZE  rcvd: 105

[missytake]

Ah, that was because it didn't use quotes, and then nsd treats the ; as a comment.

But 0a0e7f4 doesn't help either, it leads to this error:

root@ns:~# nsd-checkzone staging.testrun.org /etc/nsd/staging.testrun.org.zone
[2024-01-30 23:31:07.594] nsd-checkzone[62544]: error: /etc/nsd/staging.testrun.org.zone:36: text string is longer than 255 characters, try splitting it into multiple parts
zone staging.testrun.org file /etc/nsd/staging.testrun.org.zone has 1 errors

Which suggests that one line DKIM records are not possible because of DNS limits :/ Maybe we have to drop this approach.

[link2xt]

Which suggests that one line DKIM records are not possible because of DNS limits :/ Maybe we have to drop this approach.

Should be still possible if we split into multiple strings. They don't have to be on multiple lines.

[link2xt]

I think I fixed it.

[missytake]

With the dot at least the zonefile works, but cmdeploy dns still throws an error:

$ cmdeploy dns
Checking your DKIM keys and DNS entries...
[$ ssh root@staging.testrun.org -- acmetool account-url]
[$ ssh root@staging.testrun.org -- openssl rsa -in /etc/dkimkeys/opendkim.private -pubout 2>/dev/null | awk '/-/{next}{printf("%s",$0)}']
Traceback (most recent call last):
  File "/home/user/code/chatmail/venv/bin/cmdeploy", line 8, in <module>
    sys.exit(main())
  File "/home/user/code/chatmail/cmdeploy/src/cmdeploy/cmdeploy.py", line 304, in main
    res = args.func(args, out, **kwargs)
  File "/home/user/code/chatmail/cmdeploy/src/cmdeploy/cmdeploy.py", line 85, in dns_cmd
    exit_code = show_dns(args, out)
  File "/home/user/code/chatmail/cmdeploy/src/cmdeploy/dns.py", line 146, in show_dns
    if current.replace('" "', "") != value:
AttributeError: 'NoneType' object has no attribute 'replace'

[missytake]

Hm, you force-pushed two times since my last review, did you change more than just the .?