On Thu, May 3, 2012 at 1:15 PM, Murray S. Kucherawy <msk_at_cloudmark.com> wrote:
>> Ok. What happens on the verification side if email X is sent out at
>> 10:01:01, signed by "quanah2011", then the keys are updated at 10:01:02
>> to "quanah2012", and the mail doesn't get verified on the receiving end
>> (some remote domain with slow transports say. :P ) until 10:02:05 or
>> something?
>> Will verification still succeed?
> Verification succeeds if the key is still in the DNS. So when you rotate a new key in, you should allow some overlap before removing the older key from the DNS.
Personally, I never delete an old key after I regenerate a new one.
If I manually notice that there is an old key in some customer's
domain, I'll delete it, but otherwise, it stays there until the
customer lets their domain expire, closes their account, transfers the
domain to some other hoster, etc.
...Todd
--
Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. -- Martin Golding
Received on Thu May 03 2012 - 20:38:16 PST