how to split TXT record for IpSEC?

Paul Wouters paul at xelerance.com
Wed Nov 9 16:14:30 UTC 2011 

On Wed, 9 Nov 2011, Matus UHLAR - fantomas wrote:

>> sofia.dashofer.sk.      3600    IN      TXT 
>> "X-IPsec-Server(10)=@sofia.dashofer.sk" " 
>> AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ 
>> wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk" " 
>> Z1sfvkN8SrnSpbXqpN6JL19tjNTffnd0vhkWWAH7enHcQf0A4hNvIwhQHKFJ0Xd4weHLrD54 
>> DMr6X5n0/6dt7xnPiPqShTr8zlNvrvXP6ZcL+k" 
>> "uNade/3+uxwKMtA6UwUdhrW86i5vYC1xL+tj0svQwi6gD5gISFVHVUOU3Q91FLpc8vUDum/ 
>> O1ckgsMI/K0CmvGVVxbf5zqSqX6FCv9AV30XdliPxQDx9iUtNY2wM7tug5ci/Dmy066XopR/" " 
>> vlrslCABREFiIOAzFMkOvQ0ZUkOGyWN5ERJ161k9msDnFUlldWuK17g2mzp24/nVx+hOXfzg 
>> qhhpeSQV8RK0zZkOe3pVd+a0uuDeYaMtSIRTOT5D" "xTvWInVjR8LXtpPiGqj5qO+hQhysgk="
>> 
>> Can you recomment  can I split it to multiple records so they all fit?
>
> what I mean, can I simply split them into multiple TXT records?
> Should they be split at string boundary (between quotes)?
> If I split between quotes, do I need to spaces a the begin/end or can I 
> simply change them to newlines?
>
> sofia.dashofer.sk.	IN	TXT 
> "X-IPsec-Server(10)=@sofia.dashofer.sk"
> 					" 
> AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ 
> wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk"
> ...
>
> or even
> 
> sofia.dashofer.sk.	IN	TXT 
> "X-IPsec-Server(10)=@sofia.dashofer.sk"
> sofia.dashofer.sk.	IN	TXT	" 
> AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ 
> wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk"
> ...

No you cannot split them in separate TXT records, as you have no idea about the order.
Imagine if you have three parts, two of those would be just random characters.

You should really use IPSECKEY instead of TXT records:

See http://tools.ietf.org/html/rfc4025

 	The IPSECKEY RR imposes no length limit on RSA public keys,
 	other than the 65535 octet limit imposed by the two-octet
 	length encoding.

That said, openswan has not yet been brought up to spec for IPSECKEY, so for that
you will have to use TXT.

Paul

More information about the bind-users mailing list