Strange behaviour of dnssec-signzone

Mark Andrews marka at
Wed Dec 15 11:22:45 UTC 2010

In message <c008a6086493ca91d9b6707551689fe5@[::1]>, Patrick Vande Walle writes
> Greetings,
> My zone file contains a TXT record for DKIM :
>       sig-2010._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; 
> t=s; p=[deleted for shortness]"
> When I run: /usr/sbin/dnssec-signzone  -u -3 5D2CA8 -C -g -p -o 
> -e +7776000 -l zone.db K*.private 2>&1"
> It returns: "dnssec-signzone: fatal: failed loading zone from 
> 'zone.db': ran out of space"
> If I delete the "g=*;" tag of the TXT record
>       sig-2010._domainkey IN TXT "v=DKIM1; r=postmaster; k=rsa; t=s; 
> p=[deleted for shortness]"

A string in a TXT record can only be 255 characters long though there
can be multiple strings.  If you try to load a string longer than 255
characters you will get the error above.

RFC 4871 DomainKeys Identified Mail (DKIM) Signatures

   Strings in a TXT RR MUST be concatenated together before use with no
   intervening whitespace.  TXT RRs MUST be unique for a particular
   selector name; that is, if there are multiple records in an RRset,
   the results are undefined.
> signing happens with no problem.
> I am wondering if others have seen this strange behaviour of 
> dnssec-signzone (version 9.7.1-P2).
> Thanks,
> Patrick Vande Walle
> _______________________________________________
> bind-users mailing list
> bind-users at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list