In upgrading from opendkim 2.6.0 to 2.7.1, there appears to have been a
significant change to the defaults when opendkim-genkey is run.
Specifically, it sets "t=s". Per RFC4871, section 3.8, setting this by
default does not appear to be the correct action to take, as it is a "may":
3.8. Signing by Parent Domains
In some circumstances, it is desirable for a domain to apply a
signature on behalf of any of its subdomains without the need to
maintain separate selectors (key records) in each subdomain. By
default, private keys corresponding to key records can be used to
sign messages for any subdomain of the domain in which they reside;
e.g., a key record for the domain example.com can be used to verify
messages where the signing identity ("i=" tag of the signature) is
sub.example.com, or even sub1.sub2.example.com. In order to limit
the capability of such keys when this is not intended, the "s" flag
may be set in the "t=" tag of the key record to constrain the
validity of the record to exactly the domain of the signing identity.
If the referenced key record contains the "s" flag as part of the
"t=" tag, the domain of the signing identity ("i=" flag) MUST be the
same as that of the d= domain. If this flag is absent, the domain of
the signing identity MUST be the same as, or a subdomain of, the d=
domain. Key records that are not intended for use with subdomains
SHOULD specify the "s" flag in the "t=" tag.
Is this simply a mistake from moving it from perl to C, or is there an
underlying reasoning as to why this change was made that I'm missing?
Thanks!
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Received on Mon Nov 05 2012 - 23:36:53 PST