How do I resolve the "CharacterStringTooLong (Value is too long) encountered with {Value}" error that I receive when creating a TXT record using DKIM syntax?

2 minute read
0

I tried to create a DKIM text resource record that a third party provided in my Amazon Route 53 hosted zone. However, I got the following error: "CharacterStringTooLong (Value is too long) encountered with {Value}."

Short description

DNS TXT records can contain up to 255 characters in a single string. You must split TXT record strings that are over 255 characters into multiple text strings within the same record.

Note: If the value is split, then DKIM functionality doesn't break.

Resolution

1.    Open the resource record that you received from your third-party provider.

2.    To adhere to the 255 character maximum for a single Route 53 TXT record, split the DKIM key value into two parts. To do this, follow these steps:

Copy the DKIM key value from the resource record.
Paste the DKIM key value in a new line of a text editor.
Split the DKIM key value into two parts, and then enclose each part in double quotation marks. For example, the value for "long_string" is split into "long_""string".

Note: Don't add a line break between the two parts.

3.    Open the Route 53 console.

4.    In the navigation pane, choose Hosted zones.

5.    Select your hosted zone.

6.    Choose Create Record Set.

7.    In the Create Record Set panel, complete the following steps:

  • For Name, enter the domain key identifier.
  • For Type, choose TXT.
  • For Alias, keep the default selection of No.
  • For TTL, enter the number of seconds. The default value of 300 is typically sufficient.
  • For Value, copy the split DKIM key value that you created in step 2 from your text editor. Paste the split value in the Value field.
  • Choose Create.

8.    Use dig or nslookup to confirm that the TXT record is presented as a single entry.

dig:

$ dig selector_key_1._domainkey.domain.com txt 
...
;; ANSWER SECTION: 
selector_key_1._domainkey.domain.com. 60 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz1xhXc+vJKhQJUch86o8Ia2+L/AYo4d5eRVrPMMWzz4EiM4eB4QC1hJ83YMCHLv5dDN2lJ3KWSd5tGOxF/FRj1KdN+Jdf+BVwuklBFO8IrDtMz/lk2CJjF8jlgIUmQAjs3lc/8Bee+" "IQeB2tLX9UWvQMpI3aZuh6Ym6hcvLnbEkALWaMQvqwgxZs1qF6t5VKMjWeNNWIScyNTYL4Ud8wDiBcWh492HustfGUxrl5zmRfEl8BzCbrOqpKPLBmk/xrHRw9PHIJyYOaZA2PFqVcp6mzxjyUmn0DH9HXdhIznflBoIOLL1dm77PyDOKdEWRkSLMCA72mZbFr9gxda72ocQIDAQAB"

nslookup:

    > nslookup -q=TXT selector_key_1._domainkey.domain.com
...
Non-authoritative answer:
selector_key_1._domainkey.domain.com.    text =
        "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz1xhXc+vJKhQJUch86o8Ia2+L/AYo4d5eRVrPMMWzz4EiM4eB4QC1hJ83YMCHLv5dDN2lJ3KWSd5tGOxF/FRj1KdN+Jdf+BVwuklBFO8IrDtMz/lk2CJjF8jlgIUmQAjs3lc/8Bee+"
        "IQeB2tLX9UWvQMpI3aZuh6Ym6hcvLnbEkALWaMQvqwgxZs1qF6t5VKMjWeNNWIScyNTYL4Ud8wDiBcWh492HustfGUxrl5zmRfEl8BzCbrOqpKPLBmk/xrHRw9PHIJyYOaZA2PFqVcp6mzxjyUmn0DH9HXdhIznflBoIOLL1dm77PyDOKdEWRkSLMCA72mZbFr9gxda72ocQIDAQAB"

Related information

TXT record type

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
12 Comments

Would someone please be able to shed some light on why this is necessary with Route53 when other DNS services can handle the long strings properly?

I am still pretty new to AWS, but man it feels like so many things just don't work as they should.

Adrian
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

The suggested solution does not work. Route 53 adds a space to the string at the point of the split.

Original TXT record: ...lNJ3n2C2kw/IPwt... Results from dig: ...lNJ3n2C" "2kw/IPwt...

As this is a DKIM record, the space causes the validation to FAIL.

eric-w
replied 6 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 6 months ago

This does work - but the instructions here are not exactly correct. This statement:

Split the DKIM key value into two parts, and then enclose each part in double quotation marks.

Should say this:

Split the DKIM key value into two parts, and then enclose each part in double quotation marks. Be sure to add a single blank space between the two strings.

So do not do this: "first string""second string" -- make sure you do this: "first string" "second string"

chuck
replied 6 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 5 months ago

This is really poor. If it's common enough to have a knowledge base workaround then fix the root issue.

replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago

Ive tried few different ways of splitting it and i keep getting the test back with a space between where i split

Dillon
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago
3.1.3.  Multiple Strings in a Single DNS record

   As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
   record (either TXT or SPF RR types) can be composed of more than one
   string.  If a published record contains multiple strings, then the
   record MUST be treated as if those strings are concatenated together
   without adding spaces.  For example:

      IN TXT "v=spf1 .... first" "second string..."

   MUST be treated as equivalent to

      IN TXT "v=spf1 .... firstsecond string..."

   SPF or TXT records containing multiple strings are useful in
   constructing records that would exceed the 255-byte maximum length of
   a string within a single TXT or SPF RR record.

Ref: https://www.rfc-editor.org/rfc/rfc4408#section-3.1.3

profile picture
bijay_k
replied a month ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied a month ago