#276 Opendkim error “key retrieval failed” when long dkim keys are used
I'm using postfix with opendkim and see a lot of the following errors:
opendkim[63]: 84D4C390048: key retrieval failed (s=selector1, d=hotmail.com):
'selector1._domainkey.hotmail.com' reply truncated
The error occurs for a lot of different domains, but always if a long dkim key (> 1024 bit) is used.
Suspected reason
This seems to be due to the fact, that opendkim does not set the pseudo-RR OPT UDPSize, indicating that it can handle responses longer than 512 bytes, as can be seen in this tcpdump of an opendkim request:
28112+ TXT? selector1._domainkey.outlook.com. (50)
and the response from unbound:
28112| q: TXT? selector1._domainkey.outlook.com. 1/0/0 selector1._domainkey.outlook.com.
CNAME selector1._domainkey.outbound.protection.outlook.com. (105)
The same request from dig correctly indicates that larger responses are fine (OPT UDPsize=4096):
33350+ [1au] TXT? selector1._domainkey.outlook.com. ar: . OPT UDPsize=4096 (73)
And unbound properly responds with the complete TXT record:
33350 q: TXT? selector1._domainkey.outlook.com. 2/0/1
selector1._domainkey.outlook.com. CNAME
selector1._domainkey.outbound.protection.outlook.com.,
selector1._domainkey.outbound.protection.outlook.com.
TXT "v=DKIM1;k=rsa;p=MIIBI[...]1913" ar: . OPT UDPsize=4096 (567)
The DKIM key in the TXT record was truncated for brevity.
I would assume this to be a fairly common issue, but couldn't find anything useful so far.
Is this an issue with my opendkim config or with opendkim itself?
