Hi,
opendkim-genkey (in OpenDKIM 2.4.2) generates DNS records which contain the "r=" tag for reporting; by default, it sets "r=postmaster;".
The "r=" tag is described in RFCs such as
http://www.dkim.org/specs/draft-kucherawy-dkim-reporting.txt, and to the best of my understanding is not part of the official/original DKIM specification (
http://www.ietf.org/rfc/rfc4871.txt).
RFC4871 says in §6.1.2.5:
> If the result returned from the query does not adhere to the
> format defined in this specification, the verifier MUST ignore
> the key record and return PERMFAIL (key syntax error). Verifiers
> are urged to validate the syntax of key records carefully to
> avoid attempted attacks. In particular, the verifier MUST ignore
> keys with a version code ("v=" tag) that they do not implement.
To the best of my understanding, this means that verifiers adhering to RFC4871 MUST return PERMFAIL when presented DNS records as produced by opendkim-genkey by default. In fact, the gmail verifier does this (as can be inferred by the header Authentication-Results added by the GMail smtp system).
I'm pretty new to dkim, but it would look to me that if someone wants to add a specification for a "r=" tag in the DNS, that specification must also increase the "v=" tag version number.
Is this correct or am I missing something?
Thanks!
--
Giovanni Bajo :: rasky_at_develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
Received on Thu Aug 25 2011 - 16:17:33 PST