Page MenuHomePhabricator
Create Task
Maniphest T278358

Delegate lists.wmcloud.org domain to be able to add DNS DKIM records
Open, MediumPublic
Actions

Description

Please delegate the lists.wmcloud.org domain to the mailman project so we can add the following DNS record for lists.wmcloud.org:

wikimedia._domainkey.lists  1H  IN TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9+YM0P4vZEhLwZkUbhRokEj5v5SiyX0g03Anlwz7Xyvejdgbq9I6JYsrDPWRurc1UvDDigE6q1OtkKHJI8eB3L0Wpv+oqH2sxkq1edC2YRaQuUQKG+4yIr3kUidRGD95T9UsGBl7IH7OyQ5YWVjUMnoAWaabkXTvDwR0OQjEo2QS72ErTbwnRwMGysOpo9PHrYBq/Cz1Pc6LdF/S5hu54rvNehO878tQ1CFMLOHnHid1v0MkaAx8k8jH6mR2PV3nGXsy5Wbc5SfdQUwa25Zgq7eZ1ZFUXaLjk4X2COdy4xHFkaUzDhjoiAxQ0mlgkm28cEDdB3keC4VQ3wl8DgGBOQIDAQAB"

Related Objects

Event Timeline

Legoktm created this task.Mar 24 2021, 5:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 24 2021, 5:31 PM
aborrero renamed this task from Please add DNS DKIM record for lists.wmcloud.org to Delegate list.wmcloud.org domain to be able to add DNS DKIM records.Mar 24 2021, 5:34 PM
aborrero updated the task description. (Show Details)
aborrero claimed this task.Mar 25 2021, 10:00 AM
aborrero triaged this task as Medium priority.
aborrero moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.
aborrero renamed this task from Delegate list.wmcloud.org domain to be able to add DNS DKIM records to Delegate lists.wmcloud.org domain to be able to add DNS DKIM records.Mar 25 2021, 10:02 AM
Stashbot added a comment.Mar 25 2021, 10:06 AM

Mentioned in SAL (#wikimedia-cloud) [2021-03-25T10:06:00Z] <arturo> created & delegated DNS zone lists.wmcloud.org (T278358)

aborrero closed this task as Resolved.Mar 25 2021, 10:07 AM

You should be able to create arbitrary DNS records in the lists.wmcloud.org zone using horizon now.

Legoktm reopened this task as Open.Mar 26 2021, 11:13 PM

lists.wmcloud.org shows up for me now, but it's not letting me create the TXT record: "Error: Unable to create the record set.". Maybe I'm doing something wrong?

Screenshot_2021-03-26 Zones - Manage Wikimedia Cloud.png (1×1 px, 102 KB)

bd808 subscribed.Mar 26 2021, 11:20 PM
In T278358#6950436, @Legoktm wrote:

lists.wmcloud.org shows up for me now, but it's not letting me create the TXT record: "Error: Unable to create the record set.". Maybe I'm doing something wrong?

Screenshot_2021-03-26 Zones - Manage Wikimedia Cloud.png (1×1 px, 102 KB)

You need to use the FQDN, so wikimedia._domainkey.lists.wmcloud.org. here I guess. Designate very confusingly does not inherit any information from the zone in the individual record.

bd808 added a comment.Mar 26 2021, 11:40 PM

It's more than the FQDN issue. I was able to make a bd808.lists.wmcloud.org TXT record with "testing" as the payload, but then when I tried to change the payload to "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9+YM0P4vZEhLwZkUbhRokEj5v5SiyX0g03Anlwz7Xyvejdgbq9I6JYsrDPWRurc1UvDDigE6q1OtkKHJI8eB3L0Wpv+oqH2sxkq1edC2YRaQuUQKG+4yIr3kUidRGD95T9UsGBl7IH7OyQ5YWVjUMnoAWaabkXTvDwR0OQjEo2QS72ErTbwnRwMGysOpo9PHrYBq/Cz1Pc6LdF/S5hu54rvNehO878tQ1CFMLOHnHid1v0MkaAx8k8jH6mR2PV3nGXsy5Wbc5SfdQUwa25Zgq7eZ1ZFUXaLjk4X2COdy4xHFkaUzDhjoiAxQ0mlgkm28cEDdB3keC4VQ3wl8DgGBOQIDAQAB" I got the same content free error message. This kind of feels like a db schema limit or something similar.

bd808 added a comment.Mar 26 2021, 11:44 PM
In T278358#6950493, @bd808 wrote:

This kind of feels like a db schema limit or something similar.

I can put in 255 chars, but not 256. :)

bd808 added a comment.Mar 26 2021, 11:46 PM
In T278358#6950500, @bd808 wrote:
In T278358#6950493, @bd808 wrote:

This kind of feels like a db schema limit or something similar.

I can put in 255 chars, but not 256. :)

https://bugs.launchpad.net/designate/+bug/1595265

Legoktm added a comment.Mar 26 2021, 11:55 PM

I can try using an ed25519 key to see how much shorter that'll be. In any case the lack of DKIM in cloud isn't a huge issue if it's complicated to fix.

Legoktm added a comment.Mar 27 2021, 5:55 AM

With a private ed25519 key I just created, the new DNS value should be: v=DKIM1; k=ed25519; p=83sgMULyUlfdIiGu2WUK0qdclRS314E8nrcVBNOWEuw= (66 characters) ... but horizon still doesn't want to let me create it.

taavi subscribed.Mar 27 2021, 3:40 PM
In T278358#6950507, @bd808 wrote:

https://bugs.launchpad.net/designate/+bug/1595265

T203035

bd808 added a comment.Mar 27 2021, 5:40 PM
In T278358#6950885, @Legoktm wrote:

With a private ed25519 key I just created, the new DNS value should be: v=DKIM1; k=ed25519; p=83sgMULyUlfdIiGu2WUK0qdclRS314E8nrcVBNOWEuw= (66 characters) ... but horizon still doesn't want to let me create it.

The API also apparently does not like whitespace in the TXT value. I was able to create the record with v=DKIM1;k=ed25519;p=83sgMULyUlfdIiGu2WUK0qdclRS314E8nrcVBNOWEuw= as the payload.

This still has problems though:

$ dig TXT wikimedia._domainkey.lists.wmcloud.org.

; <<>> DiG 9.10.6 <<>> TXT wikimedia._domainkey.lists.wmcloud.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49008
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wikimedia._domainkey.lists.wmcloud.org.	IN TXT

;; ANSWER SECTION:
wikimedia._domainkey.lists.wmcloud.org.	3533 IN	TXT "v=DKIM1"

;; Query time: 41 msec
;; SERVER: 192.168.11.1#53(192.168.11.1)
;; WHEN: Sat Mar 27 11:28:21 MDT 2021
;; MSG SIZE  rcvd: 87

The payload is truncated at the first ; character.

I have tried yet another way, by creating 3 separate values for the TXT record:

$ dig TXT wikimedia._domainkey.lists.wmcloud.org.

; <<>> DiG 9.10.6 <<>> TXT wikimedia._domainkey.lists.wmcloud.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39038
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wikimedia._domainkey.lists.wmcloud.org.	IN TXT

;; ANSWER SECTION:
wikimedia._domainkey.lists.wmcloud.org.	3599 IN	TXT "p=83sgMULyUlfdIiGu2WUK0qdclRS314E8nrcVBNOWEuw="
wikimedia._domainkey.lists.wmcloud.org.	3599 IN	TXT "v=DKIM1"
wikimedia._domainkey.lists.wmcloud.org.	3599 IN	TXT "k=ed25519"

;; Query time: 126 msec
;; SERVER: 192.168.11.1#53(192.168.11.1)
;; WHEN: Sat Mar 27 11:28:23 MDT 2021
;; MSG SIZE  rcvd: 168

If the TXT body is input wrapped in " chars the ; splitting seems to be avoided, but the " also ends up in the output:

$ dig TXT wikimedia._domainkey.lists.wmcloud.org.

; <<>> DiG 9.10.6 <<>> TXT wikimedia._domainkey.lists.wmcloud.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12395
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wikimedia._domainkey.lists.wmcloud.org.	IN TXT

;; ANSWER SECTION:
wikimedia._domainkey.lists.wmcloud.org.	3599 IN	TXT "v=DKIM1;k=ed25519;p=83sgMULyUlfdIiGu2WUK0qdclRS314E8nrcVBNOWEuw="

;; Query time: 121 msec
;; SERVER: 192.168.11.1#53(192.168.11.1)
;; WHEN: Sat Mar 27 11:33:43 MDT 2021
;; MSG SIZE  rcvd: 144

This final state may be usable. Does anyone have a DKIM selector to test it with using https://www.dmarcanalyzer.com/dkim/dkim-checker/ or another validation service?

bd808 added a comment.Mar 27 2021, 5:48 PM
In T278358#6951450, @bd808 wrote:

This final state may be usable. Does anyone have a DKIM selector to test it with using https://www.dmarcanalyzer.com/dkim/dkim-checker/ or another validation service?

Oh, duh, the selector is wikimedia. This test thinks things are setup correctly:

This seems to be a valid DKIM Record.
DNS Record - wikimedia._domainkey.lists.wmcloud.org
Selector - wikimedia
Domain - lists.wmcloud.org
v=DKIM1;k=ed25519;p=83sgMULyUlfdIiGu2WUK0qdclRS314E8nrcVBNOWEuw=
Declared tags

TagValueDescription
vDKIM1DKIM protocol version.
p83sgMULyUlfdIiGu2WUK0qdcl...Your base64 encoded public key.
ked25519The 'k=' tag provide a list of mechanisms that can be used to decode a DKIM signature. ('rsa' is used most often)
aborrero removed aborrero as the assignee of this task.Apr 6 2021, 12:21 PM
aborrero moved this task from Doing to Watching on the cloud-services-team (Kanban) board.
aborrero subscribed.
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:40 PM
fnegri moved this task from Kanban to Watching on the cloud-services-team board.
Frostly subscribed.Jan 7 2024, 8:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits