--On Thursday, May 03, 2012 1:38 PM -0700 Todd Lyons <tlyons_at_ivenue.com>
wrote:
> On Thu, May 3, 2012 at 1:15 PM, Murray S. Kucherawy <msk_at_cloudmark.com>
> wrote:
>>> Ok. What happens on the verification side if email X is sent out at
>>> 10:01:01, signed by "quanah2011", then the keys are updated at 10:01:02
>>> to "quanah2012", and the mail doesn't get verified on the receiving end
>>> (some remote domain with slow transports say. :P ) until 10:02:05 or
>>> something?
>>> Will verification still succeed?
>> Verification succeeds if the key is still in the DNS. So when you
>> rotate a new key in, you should allow some overlap before removing the
>> older key from the DNS.
>
> Personally, I never delete an old key after I regenerate a new one.
> If I manually notice that there is an old key in some customer's
> domain, I'll delete it, but otherwise, it stays there until the
> customer lets their domain expire, closes their account, transfers the
> domain to some other hoster, etc.
>
> ...Todd
Good to know, thanks. This tool just makes it easy for someone to delete
the old key from LDAP, it does nothing on the DNS side. ;)
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Received on Thu May 03 2012 - 20:52:47 PST