Underscore in CNAME required by SES not allowed by registrar

dns cname dkim
csi picture csi · Nov 30, 2012 · Viewed 24.2k times · Source

Amazon's SES mail service requires DKIM authentication. One step of authentication is to add a CNAME record to your domain's DNS.

Unfortunately the CNAME record has an underscore. My registrar, Network Solutions, does not allow underscores in CNAME records.

Is there a workaround for this? Transferring to a different registrar is an option, but obviously a horrible option.

Answer

Damien Black picture Damien Black · Nov 1, 2014

After over two hours on the phone with Network Solutions customer service, they are manually entering the Amazon SES DKIM authentication records for me.

Firstly, the fact that they do not allow underscores in their CNAME is INCORRECT behavior.

As per RFC 1034:

Names that are not host names can consist of any printable ASCII character.

DKIM standard REQUIRE the underscore, as per RFC 4871:

All DKIM keys are stored in a subdomain named "_domainkey". Given a DKIM-Signature field with a "d=" tag of "example.com" and an "s=" tag of "foo.bar", the DNS query will be for "foo.bar._domainkey.example.com".

RFC 1034 describes the CNAME record and indicate that the CNAME RR is not (necessarily) a hostname, so any printable ASCII character should be allowed. Network Solutions is WRONG on this.

While DKIM records CAN be stored as TXT records, Amazon SES uses CNAME records so that they can rotate the keys. Which should be possible, if not for Network Solution's inept policies.

For most information on this, I recommend this site, which explains that any DNS entries that are not hostnames (which the fields in a CNAME can be, but are not necessarily) should be allowed underscores.

In order to finally get them to manually enter the records, they needed to escalate the ticket. It had to be done on the phone, my initial email ticket was responded to with the disappointing response "You need to call in."

I had to explain several times that other nameservers allow underscores in the CNAME and that if they cannot accommodate us, we will be switching immediately.

They had to talk to the primary account holder (which was not me, and was not someone technical) in order to "confirm" that these DNS records should be put in place. Even though he was just calling in to "confirm" they gave him the run around on the phone for over 70 minutes. This confirmation seemed completely unnecessary, as my account was authorized to edit DNS records.

It was a rather frustrating experience, and I am planning to migrate away from network solutions as soon as I can. The required downtime has dissuaded us in the past, but at this point I believe it is justified.

While you might be able to convince them to manually enter the records, I would recommend switching nameservers if it is at all possible.

Related questions

How to redirect siteA to siteB with A or CNAME records

I have 2 hosts and I would like to point a subdomain on host one to a subdomain on host two: subdomain.hostone.com --> subdomain.hosttwo.com I added a CNAME record to host one that points to subdomain.…

Read More
How to overcome root domain CNAME restrictions?

We are hosting many web applications for our customers. As is obvious they want to use their own domains to refer to those applications, usually they want that any user that either type http://www.customer1.example or http://customer1.…

Read More
CNAME SSL certificates

If I go to www.example.com which has an image on the page that links to assets.example.com which is a CNAME for assets.example2.com. Will I get the green lock even if assets.example2.com does …

Read More