Re: opendkim-genkey and "r=" tag

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Thu, 25 Aug 2011 15:37:05 -0700 (PDT)

On Fri, 26 Aug 2011, Giovanni Bajo wrote:
> For the double signing, we simply configured dkim with "SenderHeaders
> Sender,From", giving precedence to Sender when available (so that it
> picks up the mailing-list in the bounces). I've seen the Resign* options
> in opendkim.conf but I'm not sure how they are an improvement over our
> current setup. Can somebody clarify this maybe?

On inspection your doubly-signed message looks fine to me.

The "resign" feature is an attempt at CPU optimization. When an
application knows it will verify a message's existing signature(s) and
then re-sign the message (such as an MLM might do), it can create a
signing handle that's bound to the verifying handle. It then runs the
verification pass and then re-uses the body hash computed there when
signing rather than computing a new one since the body is (presumably)
unchanged between the two operations. The feature is currently an FFR
("For Future Release") because I don't know if anyone's actually using it
or if it's a helpful optimization, so it's off-by-default. If I hear it's
in some use and appears to be working, I'd consider enabling it in some
future release.

-MSK
Received on Thu Aug 25 2011 - 22:37:22 PST