Tag Archives: Route 53

Fixing TXTRDATATooLong Errors for AWS Route 53

RFC 4408 3.1.3 says

....
     IN TXT "v=spf1 .... first" "second string..."
 
   MUST be treated as equivalent to
 
      IN TXT "v=spf1 .... firstsecond string..."
 
   SPF or TXT records containing multiple strings are useful in
   constructing records that would exceed the 255-byte maximum length of
   a string within a single TXT or SPF RR record.

so if you are getting error “TXTRDATATooLong” a solution for you will be splitting it into multiple strings within the same record set. For example, instead of:

"v=DKIM1; k=rsa; g=*; s=email; h=sha1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDx2zIlneFcE2skbzXjq5GudbHNntCGNN9A2RZGC/trRpTXzT/+oymxCytrEsmrwtvKdbTnkkWOxSEUcwU2cffGeaMxgZpONCu+qf5prxZCTMZcHm9p2CwCgFx3
reSF+ZmoaOvvgVL5TKTzYZK7jRktQxPdTvk3/yj71NQqBGatLQIDAQAB;" 

you can pick a split point where each part is less than 255 characters long and put [double quote][space][double quote] 

for example I tried:

"v=DKIM1; k=rsa; g=*; s=email; h=sha1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDx2zIlneFcE2skbzXjq5GudbHNntCGNN9A2RZGC/trRpTXzT/+oymxCytrEsmrwtvKdbTnkkWOxSEUcwU2cffGeaMxgZpONCu+qf5prxZCT" "MZcHm9p2CwCgFx3reSF+ZmoaOvvgVL5TKTzYZK7jRktQxPdTvk3/yj71NQqBGatLQIDAQAB;"

and as a result I’ve got:

dig -t TXT long.xxxxxx.yyyy @ns-iiii.awsdns-jj.org.
;; ANSWER SECTION:
long.xxxxxxx.yyyy. 300    IN      TXT     "v=DKIM1\; k=rsa\; g=*\; s=email\; h=sha1\; t=s\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDx2zIlneFcE2skbzXjq5GudbHNntCGNN9A2RZGC/trRpTXzT/+oymxCytrEsmrwtvKdbTnkkWOxSEUcwU2cffGeaMxgZpONCu+qf5prxZCT" "MZcHm9p2CwCgFx3reSF+ZmoaOvvgVL5TKTzYZK7jRktQxPdTvk3/yj71NQqBGatLQIDAQAB\;"

Note that returned TXT contains [double quote][space][double quote] , however the RFC above mandates that string to be treated as the same as concatenated one.

Note that your example does the same too on 128 character boundary

dig s2048._domainkey.yahoo.com TXT                                                                                                                                      /workspace/stepany-HaasControlAPI-development
;; Truncated, retrying in TCP mode.
 
; <<>> DiG 9.4.2 <<>> s2048._domainkey.yahoo.com TXT
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61356
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
 
;; QUESTION SECTION:
;s2048._domainkey.yahoo.com.    IN      TXT
 
;; ANSWER SECTION:
s2048._domainkey.yahoo.com. 61881 IN    TXT     "k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoWufgbWw58MczUGbMv176RaxdZGOMkQmn8OOJ/HGoQ6dalSMWiLaj8IMcHC1cubJx2gz" "iAPQHVPtFYayyLA4ayJUSNk10/uqfByiU8qiPCE4JSFrpxflhMIKV4bt+g1uHw7wLzguCf4YAoR6XxUKRsAoHuoF7M+v6bMZ/X1G+viWHkBl4UfgJQ6O8F1ckKKoZ5K" "qUkJH5pDaqbgs+F3PpyiAUQfB6EEzOA1KMPRWJGpzgPtKoukDcQuKUw9GAul7kSIyEcizqrbaUKNLGAmz0elkqRnzIsVpz6jdT1/YV5Ri6YUOQ5sN5bqNzZ8TxoQlkb" "VRy6eKOjUnoSSTmSAhwIDAQAB\; n=A 2048 bit key\;"

Configuring White-Label Name Servers with AWS Route53

Create a Route 53 reusable delegation set

aws route53 create-reusable-delegation-set --caller-reference ns-example-com

Output:

{
    "Location": "https://route53.amazonaws.com/2013-04-01/delegationset/N3PIG1YNLUZGKS",
    "DelegationSet": {
        "Id": "/delegationset/N3PIG1YNLUZGKS",
        "CallerReference": "ns-example-com",
        "NameServers": [
            "ns-30.awsdns-03.com",
            "ns-1037.awsdns-01.org",
            "ns-1693.awsdns-19.co.uk",
            "ns-673.awsdns-20.net"
        ]
    }
}

Note down the delegation set ID:

/delegationset/N3PIG1YNLUZGKS

Get IP of delegated name servers

dig +short ns-30.awsdns-03.com
dig +short ns-1037.awsdns-01.org
dig +short ns-1693.awsdns-19.co.uk
dig +short ns-673.awsdns-20.net
dig AAAA +short ns-30.awsdns-03.com
dig AAAA +short ns-1037.awsdns-01.org
dig AAAA +short ns-1693.awsdns-19.co.uk
dig AAAA +short ns-673.awsdns-20.net

Then add these records with your domain registrar and in your current DNS providers. Set TTL to 60s.

Create new zone with white-label name servers

aws route53 create-hosted-zone --caller-reference example-tld --name example.tld --delegation-set-id /delegationset/N3PIG1YNLUZGKS

Output:

{
    "Location": "https://route53.amazonaws.com/2013-04-01/hostedzone/Z7RED47DZVVWP",
    "HostedZone": {
        "Id": "/hostedzone/Z7RED47DZVVWP",
        "Name": "example.tld.",
        "CallerReference": "example-tld",
        "Config": {
            "PrivateZone": false
        },
        "ResourceRecordSetCount": 2
    },
    "ChangeInfo": {
        "Id": "/change/C2IAGSQG1G1LCZ",
        "Status": "PENDING",
        "SubmittedAt": "2019-03-10T13:10:53.358Z"
    },
    "DelegationSet": {
        "Id": "/delegationset/N3PIG1YNLUZGKS",
        "CallerReference": "ns-example-com",
        "NameServers": [
            "ns-30.awsdns-03.com",
            "ns-1037.awsdns-01.org",
            "ns-1693.awsdns-19.co.uk",
            "ns-673.awsdns-20.net"
        ]
    }
}

Update NS and SOA records

Prepare to change name servers, first lower TTL for the following records:

  • NS records: 172800 to 60 seconds
  • SOA record: 900 to 60 seconds