Adding an OpenDKIM TXT Record in Unbound Under pfSense

Use cases vary wildly, so this is a fairly generic post, and the primary reason I’m making it is because (as far as I can tell) this issue has never been raised on the pfSense forums (or anywhere else).

If you need to create a long (secure) txt record in Unbound (pfSense calls this “DNS Resolver”), you do it exactly the same way you would under BIND/named as described here.  The trick is getting the spacing and quoting done correctly, and in practice, your record will look something like this:

local-data: '62b46b60-c498-11e6-86f9-ed7a384a7e0a._domainkey IN TXT "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAst+FF7HVwZ87nTnS0STIg5yYMDq/5fdPV/FzELfk9G27P6Qg6wnC5B2t441lclVIBzDB3Q79gQxtfbBmjPfPgVSt1qVt8HO8yCD+skTtCOZV0wd9dcDmcztcGKqWnSJIFez8Gl2uPxf9fDPcCsIrQtN+6Z5SEKASzavzF5//yn6S689ryoiBiBAFuYWfZtRS""p+2PJ8njGvO543PLWlGL1kL93Q+AozhZxOc9O8JAcFvczxhi3G8I71teASHNng2fobn6yA3xZyuENvbdz2sJeCzmM7rYEIg8xgjKvvRgVXaB4/f9c7z25Fa7r16ONXOeQZy5R4Q/IZeLYhjhHheGAQIDAQAB"'

In the pfSense interface, it looks like this:

The important bits are:

  • the single-quotes around the entire local-data record,
  • the lack of spaces between txt record sections (v=, k=, and p=),
  • the use of double-quotes around the txt record portion, and
  • the use of double quotes to shorten the key parts to lengths which Unbound will accept.  You may need to play with the placement of these quotes.

Assuming that you have your DNS properly configured, you can test your configuration with the host command:

host -t TXT 62b46b60-c498-11e6-86f9-ed7a384a7e0a._domainkey.thatonedomain.com
62b46b60-c498-11e6-86f9-ed7a384a7e0a._domainkey.thatonedomain.com descriptive text "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAst+FF7HVwZ87nTnS0STIg5yYMDq/5fdPV/FzELfk9G27P6Qg6wnC5B2t441lclVIBzDB3Q79gQxtfbBmjPfPgVSt1qVt8HO8yCD+skTtCOZV0wd9dcDmcztcGKqWnSJIFez8Gl2uPxf9fDPcCsIrQtN+6Z5SEKASzavzF5//yn6S689ryoiBiBAFuYWfZtRS" "p+2PJ8njGvO543PLWlGL1kL93Q+AozhZxOc9O8JAcFvczxhi3G8I71teASHNng2fobn6yA3xZyuENvbdz2sJeCzmM7rYEIg8xgjKvvRgVXaB4/f9c7z25Fa7r16ONXOeQZy5R4Q/IZeLYhjhHheGAQIDAQAB"

Note that the key portion will come back with quotes and a space in the middle (in the example above the space is between RS” and “p), and this is OK because standards-compliant validating receivers will be smart enough to concatenate the key parts before running calculations.

If you get the above configured correctly and if the rest of your puzzle pieces are present and properly placed, the end result is something like this on the recipient-end of your outbound messages:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@thatonedomain.com;