Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.protocols.dns.bind > #75

Re: how to split TXT record for IpSEC?

From Paul Wouters <paul@xelerance.com>
Newsgroups comp.protocols.dns.bind
Subject Re: how to split TXT record for IpSEC?
Date 2011-11-09 11:14 -0500
Message-ID <mailman.35.1320855305.68562.bind-users@lists.isc.org> (permalink)
References <20111109133535.GA30278@fantomas.sk> <20111109135906.GB30278@fantomas.sk>

Show all headers | View raw

On Wed, 9 Nov 2011, Matus UHLAR - fantomas wrote:

>> sofia.dashofer.sk.      3600    IN      TXT 
>> "X-IPsec-Server(10)=@sofia.dashofer.sk" " 
>> AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ 
>> wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk" " 
>> Z1sfvkN8SrnSpbXqpN6JL19tjNTffnd0vhkWWAH7enHcQf0A4hNvIwhQHKFJ0Xd4weHLrD54 
>> DMr6X5n0/6dt7xnPiPqShTr8zlNvrvXP6ZcL+k" 
>> "uNade/3+uxwKMtA6UwUdhrW86i5vYC1xL+tj0svQwi6gD5gISFVHVUOU3Q91FLpc8vUDum/ 
>> O1ckgsMI/K0CmvGVVxbf5zqSqX6FCv9AV30XdliPxQDx9iUtNY2wM7tug5ci/Dmy066XopR/" " 
>> vlrslCABREFiIOAzFMkOvQ0ZUkOGyWN5ERJ161k9msDnFUlldWuK17g2mzp24/nVx+hOXfzg 
>> qhhpeSQV8RK0zZkOe3pVd+a0uuDeYaMtSIRTOT5D" "xTvWInVjR8LXtpPiGqj5qO+hQhysgk="
>> 
>> Can you recomment  can I split it to multiple records so they all fit?
>
> what I mean, can I simply split them into multiple TXT records?
> Should they be split at string boundary (between quotes)?
> If I split between quotes, do I need to spaces a the begin/end or can I 
> simply change them to newlines?
>
> sofia.dashofer.sk.	IN	TXT 
> "X-IPsec-Server(10)=@sofia.dashofer.sk"
> 					" 
> AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ 
> wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk"
> ...
>
> or even
> 
> sofia.dashofer.sk.	IN	TXT 
> "X-IPsec-Server(10)=@sofia.dashofer.sk"
> sofia.dashofer.sk.	IN	TXT	" 
> AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ 
> wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk"
> ...

No you cannot split them in separate TXT records, as you have no idea about the order.
Imagine if you have three parts, two of those would be just random characters.

You should really use IPSECKEY instead of TXT records:

See http://tools.ietf.org/html/rfc4025

 	The IPSECKEY RR imposes no length limit on RSA public keys,
 	other than the 65535 octet limit imposed by the two-octet
 	length encoding.

That said, openswan has not yet been brought up to spec for IPSECKEY, so for that
you will have to use TXT.

Paul

Back to comp.protocols.dns.bind | Previous | Next | Find similar

Thread

Re: how to split TXT record for IpSEC? Paul Wouters <paul@xelerance.com> - 2011-11-09 11:14 -0500

csiph-web