This object is in archive!
Set larger DKIM keys.
Completed
The current 768 bit key can be considered to be too short. It would be nice to have control over the size of the DKIM keys that are set for cPanel accounts with options of 1024 or 2048 bits keys in the WHM. It seems that at least Gmail is rejecting smaller DKIM key sizes.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
The work for this feature has been completed, and it is scheduled for release in 11.50.
We need to replace MyDNS with an alternative before we can enable this functionality as MyDNS has problems handling TXT records with more then 255 characters.
Its likely feasible to to replace MyDNS with PowerDNS (there is already a feature request here for this: http://features.cpanel.net/responses/powerdns-as-nameserver-program-option)
The work for this feature has been completed, and it is scheduled for release in 11.50.
We need to replace MyDNS with an alternative before we can enable this functionality as MyDNS has problems handling TXT records with more then 255 characters.
Its likely feasible to to replace MyDNS with PowerDNS (there is already a feature request here for this: http://features.cpanel.net/responses/powerdns-as-nameserver-program-option)
According to the above article, Google is now rejecting mail with 512 bit keys and has said it will only accept mail with 768 bit keys for a few weeks. I've also read reports of people receiving warning messages from Google if they're server has weak DKIM keys.
There is also a CERT advisory out on the issue:
http://www.kb.cert.org/vuls/id/268267
According to the above article, Google is now rejecting mail with 512 bit keys and has said it will only accept mail with 768 bit keys for a few weeks. I've also read reports of people receiving warning messages from Google if they're server has weak DKIM keys.
There is also a CERT advisory out on the issue:
http://www.kb.cert.org/vuls/id/268267
Prior to 11.34.1, DKIM keys generated by cPanel & WHM were 768 bits in length. As of 11.34.1, new keys are 1024 bits in length. This change is also back ported to 11.32 and 11.30, and will be available in the next release of those versions.
Right now our utilities do not provide a way of upgrading the keys.
Prior to 11.34.1, DKIM keys generated by cPanel & WHM were 768 bits in length. As of 11.34.1, new keys are 1024 bits in length. This change is also back ported to 11.32 and 11.30, and will be available in the next release of those versions.
Right now our utilities do not provide a way of upgrading the keys.
Would disabling then re-enabling the feature in cPanel cause a new key to be generated? Or is there something that could manually be cleared to force it? I have one of the 768 bit keys that has been cracked and is actively being used by spammers to send messages so I need to figure out a way to change the key.
By the way, all the big players (Google, Microsoft, Yahoo, etc.) have gone to 2048 bits. I would suggest that be the default for future releases.
Would disabling then re-enabling the feature in cPanel cause a new key to be generated? Or is there something that could manually be cleared to force it? I have one of the 768 bit keys that has been cracked and is actively being used by spammers to send messages so I need to figure out a way to change the key.
By the way, all the big players (Google, Microsoft, Yahoo, etc.) have gone to 2048 bits. I would suggest that be the default for future releases.
What Doug said. Also, I have 11.34.1 installed and just added DKIM to a domain but test emails still show "(weak key)" when scoping out the headers in Gmail.
What Doug said. Also, I have 11.34.1 installed and just added DKIM to a domain but test emails still show "(weak key)" when scoping out the headers in Gmail.
There are some technical challenges to using key sizes larger than 1024. The public key is stored in a TXT DNS RR. These kinds of RRs are limited to 255 characters. Key sizes larger than 1024 cause the key to exceed this limitation. We are examining the situation to determine how to provide larger key sizes.
There are some technical challenges to using key sizes larger than 1024. The public key is stored in a TXT DNS RR. These kinds of RRs are limited to 255 characters. Key sizes larger than 1024 cause the key to exceed this limitation. We are examining the situation to determine how to provide larger key sizes.
Edit: Hey I can post using my forum login? TIL
Edit: Hey I can post using my forum login? TIL
Ok, correct account now (sorry). I have disabled DKIM on those accounts that had it set up previously under that reseller. While we await a solution will turning off DKIM have a negative effect with regard to email delivery to Gmail?
Ok, correct account now (sorry). I have disabled DKIM on those accounts that had it set up previously under that reseller. While we await a solution will turning off DKIM have a negative effect with regard to email delivery to Gmail?
Go into cPanel for a domain and disable DKIM under Email Authentication.
Delete the key files for the domain from /var/cpanel/domain_keys/public/ and /var/cpanel/domain_keys/private/. They will have been renamed with ".removed" at the end when DKIM was disabled.
Go back into cPanel and re-enable DKIM. New keys and a new DNS TXT record will be generated.
Go into cPanel for a domain and disable DKIM under Email Authentication.
Delete the key files for the domain from /var/cpanel/domain_keys/public/ and /var/cpanel/domain_keys/private/. They will have been renamed with ".removed" at the end when DKIM was disabled.
Go back into cPanel and re-enable DKIM. New keys and a new DNS TXT record will be generated.
i've tried to set larger keys and I can't. Ugggh.. I'm getting my bulk mail denied and my sender reputation is hurting. HOW DO I FIX THIS?
Please someone from cpanel post instructions becuase the standard DKIM instructions do not generate acceptable new keys.
i've tried to set larger keys and I can't. Ugggh.. I'm getting my bulk mail denied and my sender reputation is hurting. HOW DO I FIX THIS?
Please someone from cpanel post instructions becuase the standard DKIM instructions do not generate acceptable new keys.
Got it working. Its important to mention restarting exim and apache after regenerating keys.
Got it working. Its important to mention restarting exim and apache after regenerating keys.
@Doug Smith, @mykkal. Thank you! C'mon on cPanel, none of your customers should be needing to search for such information. It should be SIMPLE to regenerate the keys for DKIM... it's not like we waited the best part of a decade for you to support DKIM at all... oh, did we?
@Doug Smith, @mykkal. Thank you! C'mon on cPanel, none of your customers should be needing to search for such information. It should be SIMPLE to regenerate the keys for DKIM... it's not like we waited the best part of a decade for you to support DKIM at all... oh, did we?
We still have this issue, after Doug recommendation i still have issue with google.
Here is what google say:
Received-SPF: softfail (google.com: domain of transitioning info@xxx.co.uk does not designate xxxx:xxx:x:xxxx::x:xxx as permitted sender) client-ip=xxxx:xxx:x:xxxx::x:xxx;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning info@xxx.co.uk does not designate xxxx:xxx:x:xxxx::x:xxx as permitted sender) smtp.mail=info@xxx.co.uk;
dkim=fail header.i=@xxx.co.uk
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xxx.co.uk; s=default;
h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From; bh=86AQvdHe/xjNHguNWzbpWJ9alGT+anrh8JvSh9aFukM=;
And emails going to spam folder...
We still have this issue, after Doug recommendation i still have issue with google.
Here is what google say:
Received-SPF: softfail (google.com: domain of transitioning info@xxx.co.uk does not designate xxxx:xxx:x:xxxx::x:xxx as permitted sender) client-ip=xxxx:xxx:x:xxxx::x:xxx;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning info@xxx.co.uk does not designate xxxx:xxx:x:xxxx::x:xxx as permitted sender) smtp.mail=info@xxx.co.uk;
dkim=fail header.i=@xxx.co.uk
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xxx.co.uk; s=default;
h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From; bh=86AQvdHe/xjNHguNWzbpWJ9alGT+anrh8JvSh9aFukM=;
And emails going to spam folder...
Important note: It may take a while before the changed DNS TXT record is seen. For mail servers that have been receiving emails from your server, they may take longer to see because the TXT lookup result is probably served from its DNS cache. The default TTL for the TXT RR is 14400 secs.
Important note: It may take a while before the changed DNS TXT record is seen. For mail servers that have been receiving emails from your server, they may take longer to see because the TXT lookup result is probably served from its DNS cache. The default TTL for the TXT RR is 14400 secs.
BTW, DirectAdmin has had 2048-bit key since late 2012. http://forum.directadmin.com/showthread.php?t=44891. Come on, keep up cPanel!
BTW, DirectAdmin has had 2048-bit key since late 2012. http://forum.directadmin.com/showthread.php?t=44891. Come on, keep up cPanel!
I am tired of having emails flagged as having bad keys because the DNS editor does not work correctly when adding longer keys.
I am tired of having emails flagged as having bad keys because the DNS editor does not work correctly when adding longer keys.
At the very least the DNS editor needs to be fixed to accommodate keys bigger than 255 and support multi-line records that bind has natively supported for years now.
At the very least the DNS editor needs to be fixed to accommodate keys bigger than 255 and support multi-line records that bind has natively supported for years now.
When are you going to fix the DNS editor to allow longer / multiple line TXT records for 2048 bit domainKeys. We use cPanel for our DNS servers for more than just our cPanel servers. We are having to manually edit these records which is a real PITA!
When are you going to fix the DNS editor to allow longer / multiple line TXT records for 2048 bit domainKeys. We use cPanel for our DNS servers for more than just our cPanel servers. We are having to manually edit these records which is a real PITA!
The work for this feature has been completed, and it is scheduled for release in 11.50.
We need to replace MyDNS with an alternative before we can enable this functionality as MyDNS has problems handling TXT records with more then 255 characters.
Its likely feasible to to replace MyDNS with PowerDNS (there is already a feature request here for this: http://features.cpanel.net/responses/powerdns-as-nameserver-program-option)
The work for this feature has been completed, and it is scheduled for release in 11.50.
We need to replace MyDNS with an alternative before we can enable this functionality as MyDNS has problems handling TXT records with more then 255 characters.
Its likely feasible to to replace MyDNS with PowerDNS (there is already a feature request here for this: http://features.cpanel.net/responses/powerdns-as-nameserver-program-option)
Apologies for resurrecting this (stumbled here from Google) but has this change been implemented yet? And if so, where do I find the setting to increase the key length? I'm using the latest stable 11.50 (build 29).
Thanks
Apologies for resurrecting this (stumbled here from Google) but has this change been implemented yet? And if so, where do I find the setting to increase the key length? I'm using the latest stable 11.50 (build 29).
Thanks
Not yet, its save the key whit only " should be "key"
Not yet, its save the key whit only " should be "key"
My default key size in cpanel 11.50 (build 29) is still 768. Am I doing something incrorrectly? I'm using BIND, should this be MyDNS?
My default key size in cpanel 11.50 (build 29) is still 768. Am I doing something incrorrectly? I'm using BIND, should this be MyDNS?
The DNS editor still doesn't allow for the editing of long record values which makes administrating DNS very annoying.
Hopefully this is resolved soon =)
The DNS editor still doesn't allow for the editing of long record values which makes administrating DNS very annoying.
Hopefully this is resolved soon =)
Hi Guys,
I am trying to update the DKIM public key so that it is 255 characters long but having trouble matching with the Private key. Is there a way to generate a public key that is 255 characters long including the “v=DKIM1; k=rsa; p=…” part as this is causing a nightmare with multiple hosts I have spoken to to add a TXT record longer than 255 characters.
I have tried disabling DKIM in the Email Authentication section and also SSH’d in and deleted the keys manually and then tried re enabling to see if it creates a shorter key but to no avail.
Please can you let me know how I can generate a 255 character DKIM public key so that it creates a matching private key ready for me to update the public key on the DNS TXT record.
Thanks
Hi Guys,
I am trying to update the DKIM public key so that it is 255 characters long but having trouble matching with the Private key. Is there a way to generate a public key that is 255 characters long including the “v=DKIM1; k=rsa; p=…” part as this is causing a nightmare with multiple hosts I have spoken to to add a TXT record longer than 255 characters.
I have tried disabling DKIM in the Email Authentication section and also SSH’d in and deleted the keys manually and then tried re enabling to see if it creates a shorter key but to no avail.
Please can you let me know how I can generate a 255 character DKIM public key so that it creates a matching private key ready for me to update the public key on the DNS TXT record.
Thanks
I am also having the same issue as Milesh,
Key is generated automatically but the DNS editor breaks the key at 255 chars and adds (" + space) in the middle.
Is there anyway to change the key length of the key that is generated?
I found that the 1024-bit keys fall under the 255 char limit but can't find anyway to change it.
Running: WHM 11.50.0 (build 29
Thanks.
I am also having the same issue as Milesh,
Key is generated automatically but the DNS editor breaks the key at 255 chars and adds (" + space) in the middle.
Is there anyway to change the key length of the key that is generated?
I found that the 1024-bit keys fall under the 255 char limit but can't find anyway to change it.
Running: WHM 11.50.0 (build 29
Thanks.
Replies have been locked on this page!