cPanel & WHM Version 100 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
This object is in archive! 

Set larger DKIM keys.

WiredTree Joe shared this idea 9 years ago
Completed

The current 768 bit key can be considered to be too short. It would be nice to have control over the size of the DKIM keys that are set for cPanel accounts with options of 1024 or 2048 bits keys in the WHM. It seems that at least Gmail is rejecting smaller DKIM key sizes.

http://blog.returnpath.com/blog/ken-takahashi/google-is-failing-your-perfectly-good-dkim-key-and-why-thats-a-good-thing

Best Answer
photo

The work for this feature has been completed, and it is scheduled for release in 11.50.

We need to replace MyDNS with an alternative before we can enable this functionality as MyDNS has problems handling TXT records with more then 255 characters.


Its likely feasible to to replace MyDNS with PowerDNS (there is already a feature request here for this: http://features.cpanel.net/responses/powerdns-as-nameserver-program-option)

Replies (28)

photo
2

According to the above article, Google is now rejecting mail with 512 bit keys and has said it will only accept mail with 768 bit keys for a few weeks. I've also read reports of people receiving warning messages from Google if they're server has weak DKIM keys.


There is also a CERT advisory out on the issue:

http://www.kb.cert.org/vuls/id/268267

photo
1

Prior to 11.34.1, DKIM keys generated by cPanel & WHM were 768 bits in length. As of 11.34.1, new keys are 1024 bits in length. This change is also back ported to 11.32 and 11.30, and will be available in the next release of those versions.


Right now our utilities do not provide a way of upgrading the keys.

photo
1

Would disabling then re-enabling the feature in cPanel cause a new key to be generated? Or is there something that could manually be cleared to force it? I have one of the 768 bit keys that has been cracked and is actively being used by spammers to send messages so I need to figure out a way to change the key.

By the way, all the big players (Google, Microsoft, Yahoo, etc.) have gone to 2048 bits. I would suggest that be the default for future releases.

photo
1

What Doug said. Also, I have 11.34.1 installed and just added DKIM to a domain but test emails still show "(weak key)" when scoping out the headers in Gmail.

photo
1

Doug Smith wrote:

Would disabling then re-enabling the feature in cPanel cause a new key to be generated? Or is there something that could manually be cleared to force it? I have one of the 768 bit keys that has been cracked and is actively being used by spammers to send messages so I need to figure out a way to change the key.

By the way, all the big players (Google, Microsoft, Yahoo, etc.) have gone to 2048 bits. I would suggest that be the default for future releases.

Unfortunately, no. The only way, at time of writing, to upgrade keys is to manually remove all the keys, and regenerate them. We are currently working on changes that will upgrade a key in place.


There are some technical challenges to using key sizes larger than 1024. The public key is stored in a TXT DNS RR. These kinds of RRs are limited to 255 characters. Key sizes larger than 1024 cause the key to exceed this limitation. We are examining the situation to determine how to provide larger key sizes.

photo
1

Darren Benfer wrote:

What Doug said. Also, I have 11.34.1 installed and just added DKIM to a domain but test emails still show "(weak key)" when scoping out the headers in Gmail.
Did the account that owns the domain already have DKIM installed on other domains?

photo
1

Kenneth Power wrote:

Did the account that owns the domain already have DKIM installed on other domains?
Hm, yes it did.


Edit: Hey I can post using my forum login? TIL

photo
1

Ok, correct account now (sorry). I have disabled DKIM on those accounts that had it set up previously under that reseller. While we await a solution will turning off DKIM have a negative effect with regard to email delivery to Gmail?

photo
2

Kenneth Power wrote:

The only way, at time of writing, to upgrade keys is to manually remove all the keys, and regenerate them.

I have been able to successfully do this. For anyone else trying the same thing, here's what I did:


Go into cPanel for a domain and disable DKIM under Email Authentication.


Delete the key files for the domain from /var/cpanel/domain_keys/public/ and /var/cpanel/domain_keys/private/. They will have been renamed with ".removed" at the end when DKIM was disabled.

Go back into cPanel and re-enable DKIM. New keys and a new DNS TXT record will be generated.

photo
2

Kenneth Power wrote:

There are some technical challenges to using key sizes larger than 1024. The public key is stored in a TXT DNS RR. These kinds of RRs are limited to 255 characters. Key sizes larger than 1024 cause the key to exceed this limitation. We are examining the situation to determine how to provide larger key sizes.
Apparently, it can be split across multiple TXT records. There's some information about it in the OpenDKIM readme at http://www.opendkim.org/opendkim-README. Look for the section titled "Large Keys". It wasn't clear to me how it would know what order to reassemble them in, though.

photo
1

Doug Smith wrote:

I have been able to successfully do this. For anyone else trying the same thing, here's what I did:


Go into cPanel for a domain and disable DKIM under Email Authentication.


Delete the key files for the domain from /var/cpanel/domain_keys/public/ and /var/cpanel/domain_keys/private/. They will have been renamed with ".removed" at the end when DKIM was disabled.

Go back into cPanel and re-enable DKIM. New keys and a new DNS TXT record will be generated.

Does this regenerate a 1024 bit key or a 768bit one?

photo
1

i've tried to set larger keys and I can't. Ugggh.. I'm getting my bulk mail denied and my sender reputation is hurting. HOW DO I FIX THIS?


Please someone from cpanel post instructions becuase the standard DKIM instructions do not generate acceptable new keys.

photo
1

Doug Smith wrote:

I have been able to successfully do this. For anyone else trying the same thing, here's what I did:


Go into cPanel for a domain and disable DKIM under Email Authentication.


Delete the key files for the domain from /var/cpanel/domain_keys/public/ and /var/cpanel/domain_keys/private/. They will have been renamed with ".removed" at the end when DKIM was disabled.

Go back into cPanel and re-enable DKIM. New keys and a new DNS TXT record will be generated.

I wish i could say this is working but it isn't. my keys are not 1012 bit regenerated or not.

photo
1

Got it working. Its important to mention restarting exim and apache after regenerating keys.

photo
1

@Doug Smith, @mykkal. Thank you! C'mon on cPanel, none of your customers should be needing to search for such information. It should be SIMPLE to regenerate the keys for DKIM... it's not like we waited the best part of a decade for you to support DKIM at all... oh, did we?

photo
1

We still have this issue, after Doug recommendation i still have issue with google.

Here is what google say:


Received-SPF: softfail (google.com: domain of transitioning info@xxx.co.uk does not designate xxxx:xxx:x:xxxx::x:xxx as permitted sender) client-ip=xxxx:xxx:x:xxxx::x:xxx;

Authentication-Results: mx.google.com;

spf=softfail (google.com: domain of transitioning info@xxx.co.uk does not designate xxxx:xxx:x:xxxx::x:xxx as permitted sender) smtp.mail=info@xxx.co.uk;

dkim=fail header.i=@xxx.co.uk

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xxx.co.uk; s=default;

h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From; bh=86AQvdHe/xjNHguNWzbpWJ9alGT+anrh8JvSh9aFukM=;


And emails going to spam folder...

photo
1

Important note: It may take a while before the changed DNS TXT record is seen. For mail servers that have been receiving emails from your server, they may take longer to see because the TXT lookup result is probably served from its DNS cache. The default TTL for the TXT RR is 14400 secs.

photo
1

BTW, DirectAdmin has had 2048-bit key since late 2012. http://forum.directadmin.com/showthread.php?t=44891. Come on, keep up cPanel!

photo
1

I am tired of having emails flagged as having bad keys because the DNS editor does not work correctly when adding longer keys.

photo
2

At the very least the DNS editor needs to be fixed to accommodate keys bigger than 255 and support multi-line records that bind has natively supported for years now.

photo
1

When are you going to fix the DNS editor to allow longer / multiple line TXT records for 2048 bit domainKeys. We use cPanel for our DNS servers for more than just our cPanel servers. We are having to manually edit these records which is a real PITA!

photo
1

The work for this feature has been completed, and it is scheduled for release in 11.50.

We need to replace MyDNS with an alternative before we can enable this functionality as MyDNS has problems handling TXT records with more then 255 characters.


Its likely feasible to to replace MyDNS with PowerDNS (there is already a feature request here for this: http://features.cpanel.net/responses/powerdns-as-nameserver-program-option)

photo
1

Apologies for resurrecting this (stumbled here from Google) but has this change been implemented yet? And if so, where do I find the setting to increase the key length? I'm using the latest stable 11.50 (build 29).


Thanks

photo
1

In 11.50 the default key size for DKIM is 2048, unless you are using MyDNS.


There is currently a bug that results in a double quote being erroneously inserted into some TXT records, which may be what Spambuster is referring to.

photo
1

Not yet, its save the key whit only " should be "key"

photo
1

My default key size in cpanel 11.50 (build 29) is still 768. Am I doing something incrorrectly? I'm using BIND, should this be MyDNS?

photo
1

Are you seeing 768 on new keys, or pre-existing keys?


BIND is what you need to use.

photo
1

Its a user moved over from another cpanel host, so I'm assuming existing. But I can't find instructions on how to generate a new key.

photo
1

The DNS editor still doesn't allow for the editing of long record values which makes administrating DNS very annoying.


Hopefully this is resolved soon =)

photo
1

Which editor are you using?

photo
1

WHM -> Edit DNS Zone

photo
1

Hi Guys,


I am trying to update the DKIM public key so that it is 255 characters long but having trouble matching with the Private key. Is there a way to generate a public key that is 255 characters long including the “v=DKIM1; k=rsa; p=…” part as this is causing a nightmare with multiple hosts I have spoken to to add a TXT record longer than 255 characters.


I have tried disabling DKIM in the Email Authentication section and also SSH’d in and deleted the keys manually and then tried re enabling to see if it creates a shorter key but to no avail.


Please can you let me know how I can generate a 255 character DKIM public key so that it creates a matching private key ready for me to update the public key on the DNS TXT record.


Thanks

photo
1

I am also having the same issue as Milesh,

Key is generated automatically but the DNS editor breaks the key at 255 chars and adds (" + space) in the middle.

Is there anyway to change the key length of the key that is generated?

I found that the 1024-bit keys fall under the 255 char limit but can't find anyway to change it.


Running: WHM 11.50.0 (build 29

Thanks.

Replies have been locked on this page!