Re: verification error: empty key record; insecure key

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 17 Aug 2012 09:31:48 -0700 (PDT)

On Fri, 17 Aug 2012, Benny Pedersen wrote:
> could this be the problem i see here with RSA-VERIFY failing ?, it
> happends most on gmail and ietf, i dont think there dkim is failling,
> but is RSA-VERIFY bogus error for not getting correct dns results ?

No. This issue would cause the DKIM verification process to fail before
the code gets as far as calling any of the crypto functions.

> Aug 17 00:02:49 home opendkim[3330]: 56E3E25C022: s=ietf1 d=ietf.org SSL
> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature

This can only happen when the DNS part worked fine, but the signature
itself failed to validate. Assuming no bugs, it means the message was
modified in transit.

> unsure why it just happen on some domains and not all

Have you tried any of the testing and debugging steps found in
opendkim/README?

> what openssl version is stable with opendkim could be usefull if i should
> create a bug in gentoo with this problem

We've received no complaints about any particular openssl version.

-MSK
Received on Fri Aug 17 2012 - 16:32:08 PST