Re: test with 4k dkim signing key

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Andreas Schulze <sca_at_andreasschulze.de>
Date: Wed, 7 Nov 2012 15:54:12 +0100

Am Mi, 7.11.2012, 04:25 schrieb Murray S. Kucherawy:
> It means your key isn't DNSSEC-protected.
yes and no.

If opendkim mark a key "insecure" in the Authentication-Results header
that mean only, that the resolver opendkim uses to fetch the public key from dns
did no DNSSEC validation. The key is fetched fron dns in the 'classical, spoofable, insecure' dns way.
It does *not* mean, that the key is not protected by dnssec.

>> does whois show your domain is dnssec enblad ?
depents on the tld.
as an example query whois for that dnssec enabled domains:
debian.org -> yes
andreasschulze.de -> yes
unbound.net -> no
But whois is not relevant, it's informal only.

To enable opendkim to fetch keys from dns *and* validate them using dnssec
you need to
1. compile opendkim with libunbound
2. let opendkim resolve direct agains the root dnsservers (or use a dnssec capable forwarding resolver)

It does not help to compile opendkim with libunbound an then use 8.8.8.8 (google public resolver)

Andreas
Received on Wed Nov 07 2012 - 14:54:26 PST

This archive was generated by hypermail 2.3.0 : Wed Nov 07 2012 - 15:00:01 PST