Underscore in CNAME required by SES not allowed by registrar [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 4 years ago.

Improve this question

Amazon's SES mail service requires DKIM authentication. One step of authentication is to add a CNAME record to your domain's DNS.

Unfortunately the CNAME record has an underscore. My registrar, Network Solutions, does not allow underscores in CNAME records.

Is there a workaround for this? Transferring to a different registrar is an option, but obviously a horrible option.

Answer 1

DKIM is done with TXT records. Of course you could have a CNAME record (or chain) that points to a TXT record, but it is much more common to just create a TXT record directly.

Your DNS authoritative nameservice provider should let you put labels with underscores (which DKIM requires) into your domain's zone file. If not, then select a different DNS nameservice provider or use your own nameservers.

What DNS registrar you are using has nothing to do with it. The registrar does not control the contents of the domain nor would they even be aware of it.

It may be that your registrar and DNS nameservice provider happen to be the same organization, but they are separate roles and should be considered separately.

Answer 2

After over two hours on the phone with Network Solutions customer service, they are manually entering the Amazon SES DKIM authentication records for me.

Firstly, the fact that they do not allow underscores in their CNAME is INCORRECT behavior.

As per RFC 1034:

Names that are not host names can consist of any printable ASCII character.

DKIM standard REQUIRE the underscore, as per RFC 4871:

All DKIM keys are stored in a subdomain named "_domainkey". Given a DKIM-Signature field with a "d=" tag of "example.com" and an "s=" tag of "foo.bar", the DNS query will be for "foo.bar._domainkey.example.com".

RFC 1034 describes the CNAME record and indicate that the CNAME RR is not (necessarily) a hostname, so any printable ASCII character should be allowed. Network Solutions is WRONG on this.

While DKIM records CAN be stored as TXT records, Amazon SES uses CNAME records so that they can rotate the keys. Which should be possible, if not for Network Solution's inept policies.

For most information on this, I recommend this site, which explains that any DNS entries that are not hostnames (which the fields in a CNAME can be, but are not necessarily) should be allowed underscores.

In order to finally get them to manually enter the records, they needed to escalate the ticket. It had to be done on the phone, my initial email ticket was responded to with the disappointing response "You need to call in."

I had to explain several times that other nameservers allow underscores in the CNAME and that if they cannot accommodate us, we will be switching immediately.

They had to talk to the primary account holder (which was not me, and was not someone technical) in order to "confirm" that these DNS records should be put in place. Even though he was just calling in to "confirm" they gave him the run around on the phone for over 70 minutes. This confirmation seemed completely unnecessary, as my account was authorized to edit DNS records.

It was a rather frustrating experience, and I am planning to migrate away from network solutions as soon as I can. The required downtime has dissuaded us in the past, but at this point I believe it is justified.

While you might be able to convince them to manually enter the records, I would recommend switching nameservers if it is at all possible.

Answer 3

DKIM requires subdomain named _domainkey (RFC 4871) (and underscores are completely valid for subdomains).

What if you DNS provider doesn't allow them?

1. Contact them, they should fix it, and if you can, consider changing provider.
2. As a temporary solution copy directly the TXT record (this is temporary because it's likely to change at some points and you'll have to update), see below:

For example for SendGrid it'll ask you to point CNAME s1._domainkey.example.com to s1.domainkey.u1234567.00000.sendgrid.net, so get the TXT record via:

$ host -t txt s1.domainkey.u1234567.00000.sendgrid.net
s1.domainkey.u1234567.00000.sendgrid.net descriptive text "k=rsa\; t=s\; p=SOMETHING+VERY+LOOOOOOOONG"

Now create a TXT record for subdomain s1._domainkey with as content (remember to un-escape \ for example):

k=rsa; t=s; p=SOMETHING+VERY+LOOOOOOOONG

Answer 4

The Amazon forum (https://forums.aws.amazon.com/thread.jspa?threadID=119464) says that you can use a TXT record if the CNAME record doesn't work:

"Set a TXT entry on my DNS settings, this entry looks like: Name: ._domainkey.mydomain.com Type: TXT Value: "p=AAZZZZZZEEEEEERRRRRRRRTTTTTTTYYYYYYYYY..","

I have not been able to get this to work yet but I think it is the right direction since it is highly unlikely that I will be able to yahoo et.al. to change their DNS policies.