Error when creating SMIMEA record with full cert (Code: 81041)


#1

I get the following error when I try to create an SMIMEA record:

The content length is too large. (Code: 81041)

The record was created with https://tools.greatdane.io and looks like this:

a4896bb2f35886fc9cd891efa53b5925cef799b5066c530331fede8d._smimecert.settgast.org. 3600 IN SMIMEA 3 0 0 3082054D30820435A00302010202082D98C7C2718FB032300D06092A864886F70D01010B0500308182310B3009060355040613024954310F300D06035504080C064D696C616E6F310F300D06035504070C064D696C616E6F31233021060355040A0C1A416374616C697320532E702E412E2F3033333538353230393637312C302A06035504030C23416374616C697320436C69656E742041757468656E7469636174696F6E204341204731301E170D3139303130373231323532355A170D3230303130373231323532355A3021311F301D06035504030C166368726973746F70684073657474676173742E6F726730820122300D06092A864886F70D01010105000382010F003082010A0282010100C19217D2648A9ABDAEE048503E154A0935B4B9BC1338B55E974C7F8394DF010F54B1334AEAAF6F41EFB9CB923E378C70A6EFE84AFC8C06075FEAC78B21FB07ED546652377AF168645AE5B856F005FB7B6110D8E1C9FAF9E6DF686D0D4C76657C619B04EAA3523A5582BC543E107D4D864E05B01BE5EF2DAFED1E8D19FAE82D5883DA10C3D3F10EB6789346B83090F38DDF9FD2734B8D79F4D8E19EB29590094371B89BF6EBD0974116986DB685EAD6CE3F1FC3C18F67B193F9585536EE2278BD337F4D5E72A1042F7C46B5FE9001DC10A6C33989053B8E5FADC6DC62EC7C2D7B2B2834996348FC0DCC1979B100215723E114C0BEBB3C8CB7052880BBCF6757BB0203010001A382022530820221300C0603551D130101FF04023000301F0603551D230418301680147E60FCF86CA73D3DD7AE93A179028FB374293BF5304B06082B06010505070101043F303D303B06082B06010505073002862F687474703A2F2F6361636572742E616374616C69732E69742F63657274732F616374616C69732D617574636C69673130210603551D11041A301881166368726973746F70684073657474676173742E6F726730470603551D200440303E303C06062B811F0118013032303006082B06010505070201162468747470733A2F2F7777772E616374616C69732E69742F617265612D646F776E6C6F6164301D0603551D250416301406082B0601050507030206082B060105050703043081E80603551D1F0481E03081DD30819BA08198A081958681926C6461703A2F2F6C64617030352E616374616C69732E69742F636E253364416374616C6973253230436C69656E7425323041757468656E7469636174696F6E253230434125323047312C6F253364416374616C6973253230532E702E412E2F30333335383532303936372C6325336449543F63657274696669636174655265766F636174696F6E4C6973743B62696E617279303DA03BA0398637687474703A2F2F63726C30352E616374616C69732E69742F5265706F7369746F72792F41555448434C2D47312F6765744C61737443524C301D0603551D0E041604145FF1BEE09C63DBF1A67368F94DDA34D68B9F0D5D300E0603551D0F0101FF0404030205A0300D06092A864886F70D01010B05000382010100017E1022A417EF060AD6515FD2509031EC781E844762A884752524538452571B632AE5681BA871F4BC547056F75042FC94CD8057423B4C40A6D782276BC1B7B47BAB8F6BAC91CDF4E81416C6216E19EE565E3C4C9B8B31155EDCFB9CAACB10C81B37AB36C9D60B588D1351153272886DABDFBBC724EA328753DBC3E04EA6CDF1230D9931FBDF5A584E3F9AEA6C32D5ECA9B67C45C0CD48AE5BD867CC3D2FA77F0576EDB67C465D75CA478D325A4DC26F723FEEAC0C20DEE5302093312AA66A4AABA3715AE14D452066C35BBC857094BC1F16C511B37D4489B75030FC6781B2FD6F030353C87F4670F3966AE234E8248D76EB292A3AC6487EDB3676507AAF091D

The record and its format (and also its size) look fine when comparing it with other example records on https://greatdane.io/dnssec-validation-not-required/

For SMIMEA it is not sufficient to just publish the certificate hash (like TLSA) but the full certificate is necessary, as with SMIMEA you also have a discoverability problem when writing an encrypted email to someone. Then your email client needs to discover the certificate of the recipient, thus the full certificate is usually necessary in DNS.

Is there anything that is planned to have this functionality on Cloudflare DNS?

Kind regards,
Christoph


#2

Great question, @csett86. I’ve made note of it for the team as while there are no plans to increase the character limit in the near future, we appreciate the feedback. (Btw, if you’d like to create a request in the feedback category, the community can upvote it to show support)


#3

Dear cloonan,

thank you for your suggestion, I posted it in the feedback section:

Kind regards,
Christoph


#4

Hi @csett86, I see it and voted! Thank you.


Increase the character limit for SMIMEA DNS records
closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.