foolo
commented
5 months ago Observation: Some domains have divided the data in several DNS records (instead of several partial strings of the same record, which is the normal way)
In the example below, the data is divided in 3 records, which are returned in a random order. To handle cases like this, we would need to try to concatenate together in all possible combinations and see which combination gives a valid key. Maybe for the time being, this is not worth the extra complexity, also given that this does not follow the DKIM specification.
> dig +short TXT mandrill._domainkey.galleon.ph
"B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;"
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSR"
"MAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3"
Some domains have multiple TXT records. Although this is not allowed in the specification (link), it would still be good to handle it.
The easiest option is probably to just add them all - any faulty ones will be handled by https://github.com/zkemail/archive.prove.email/issues/85 Alternatively, parse them and pick those that are valid DKIM TVL and have valid ASN1 DER encoded public key in p=.
At the moment, we have just picked the first record. But there seem to be a few cases in the archive (could be as much as 1%), for which we have actually missed the "real" key because the record with the real key was preceded by some invalid value. They are easy to find though, so we can process them and add any extra selectors.
One example:
dig default._domainkey.ictwaarborg.nl txt +shortreturns 2 records: Record 1 (note the underline in_p=):Record 2 (probably the correct one):
Another example: