how to split TXT record for IpSEC?
Paul Wouters
paul at xelerance.com
Wed Nov 9 16:14:30 UTC 2011
On Wed, 9 Nov 2011, Matus UHLAR - fantomas wrote:
>> sofia.dashofer.sk. 3600 IN TXT
>> "X-IPsec-Server(10)=@sofia.dashofer.sk" "
>> AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ
>> wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk" "
>> Z1sfvkN8SrnSpbXqpN6JL19tjNTffnd0vhkWWAH7enHcQf0A4hNvIwhQHKFJ0Xd4weHLrD54
>> DMr6X5n0/6dt7xnPiPqShTr8zlNvrvXP6ZcL+k"
>> "uNade/3+uxwKMtA6UwUdhrW86i5vYC1xL+tj0svQwi6gD5gISFVHVUOU3Q91FLpc8vUDum/
>> O1ckgsMI/K0CmvGVVxbf5zqSqX6FCv9AV30XdliPxQDx9iUtNY2wM7tug5ci/Dmy066XopR/" "
>> vlrslCABREFiIOAzFMkOvQ0ZUkOGyWN5ERJ161k9msDnFUlldWuK17g2mzp24/nVx+hOXfzg
>> qhhpeSQV8RK0zZkOe3pVd+a0uuDeYaMtSIRTOT5D" "xTvWInVjR8LXtpPiGqj5qO+hQhysgk="
>>
>> Can you recomment can I split it to multiple records so they all fit?
>
> what I mean, can I simply split them into multiple TXT records?
> Should they be split at string boundary (between quotes)?
> If I split between quotes, do I need to spaces a the begin/end or can I
> simply change them to newlines?
>
> sofia.dashofer.sk. IN TXT
> "X-IPsec-Server(10)=@sofia.dashofer.sk"
> "
> AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ
> wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk"
> ...
>
> or even
>
> sofia.dashofer.sk. IN TXT
> "X-IPsec-Server(10)=@sofia.dashofer.sk"
> sofia.dashofer.sk. IN TXT "
> AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ
> wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk"
> ...
No you cannot split them in separate TXT records, as you have no idea about the order.
Imagine if you have three parts, two of those would be just random characters.
You should really use IPSECKEY instead of TXT records:
See http://tools.ietf.org/html/rfc4025
The IPSECKEY RR imposes no length limit on RSA public keys,
other than the 65535 octet limit imposed by the two-octet
length encoding.
That said, openswan has not yet been brought up to spec for IPSECKEY, so for that
you will have to use TXT.
Paul
More information about the bind-users
mailing list