I'm using postfix with opendkim and see a lot of the following errors:
opendkim[63]: 84D4C390048: key retrieval failed (s=selector1, d=hotmail.com):
'selector1._domainkey.hotmail.com' reply truncated
The error occurs for a lot of different domains, but always if a long dkim key (> 1024 bit) is used. I would assume this to be a fairly common issue, but couldn't find anything useful so far.
Is this an issue with my opendkim config or is opendkim just broken in this regard?
This issue seems to be due to the fact, that opendkim does not set the pseudo resource record OPT UDPSize, indicating that it can handle responses longer than 512 bytes, as defined by EDNS (wiki), RFC 2671.
Opendkim (no EDNS)
As can be seen in this tcpdump of an opendkim request:
28112+ TXT? selector1._domainkey.outlook.com. (50)
and the response from unbound:
28112| q: TXT? selector1._domainkey.outlook.com. 1/0/0 selector1._domainkey.outlook.com.
CNAME selector1._domainkey.outbound.protection.outlook.com. (105)
Dig (EDNS)
The same request from dig correctly indicates that larger responses are fine (OPT UDPsize=4096):
33350+ [1au] TXT? selector1._domainkey.outlook.com. ar: . OPT UDPsize=4096 (73)
And unbound properly responds with the complete TXT record:
33350 q: TXT? selector1._domainkey.outlook.com. 2/0/1
selector1._domainkey.outlook.com. CNAME
selector1._domainkey.outbound.protection.outlook.com.,
selector1._domainkey.outbound.protection.outlook.com.
TXT "v=DKIM1;k=rsa;p=MIIBI[...]1913" ar: . OPT UDPsize=4096 (567)
The DKIM key in the TXT record was truncated for brevity.
Unfortunately the opendkim project seems to be dead, so it is unlikely that this will be fixed.
The res_query() call libopendkim is making doesn't appear to handle truncation by retransmitting the request. It does on my devserver, so this appears to be a local configuration option. res_query() doesn't appear to have a way to force TCP mode, but the man page for it suggests you can force TCP mode in /etc/resolv.conf locally.
Failing that, you might be able to get around this by linking against another resolver, such as unbound, which OpenDKIM supports.
