Re: test with 4k dkim signing key

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Wed, 7 Nov 2012 06:58:54 -0800 (PST)

On Wed, 7 Nov 2012, Andreas Schulze wrote:
> If opendkim mark a key "insecure" in the Authentication-Results header
> that mean only, that the resolver opendkim uses to fetch the public key
> from dns did no DNSSEC validation. The key is fetched fron dns in the
> 'classical, spoofable, insecure' dns way. It does *not* mean, that the
> key is not protected by dnssec.

The DNSSEC check code offers only three possible results: "insecure",
"secure", and "bogus". If DNSSEC support is not included, it always
reports "insecure". So if you see that, it means either DNSSEC was not
checked, or it means DNSSEC could not conclude one of the other two
things.

-MSK
Received on Wed Nov 07 2012 - 14:59:23 PST

This archive was generated by hypermail 2.3.0 : Wed Nov 07 2012 - 15:00:01 PST