Re: Listing the "testing" flag in Authentication-Results? from Dan Mahoney, System Admin on 2012-12-17 (OpenDKIM Users mailing list)

From: Dan Mahoney, System Admin <danm_at_prime.gushi.org>
Date: Mon, 17 Dec 2012 12:03:48 -0800 (PST)

On Sun, 16 Dec 2012, SM wrote:

> At 22:45 12-12-2012, Dan Mahoney, System Admin wrote:
>> 1) I'm running opendkim-milter under FreeBSD, and I could have sworn that
>> if you had t=y set on your flag during verification, that you'd get
>> something like "result=pass (testing)" in the Authentication-Results
>> header. Am I just misremembering, or does the (testing) only show up in
>> failure situations, or ADSP testing?
>
> There will be a "testing" in the Authentication-Results header. BTW, the
> verification for this message was "verification error: signing key too small;
> secure key".

It wasn't the same key, but that's useful to know. Guess it's time to
re-key. I *have* been using dkim/domainkeys for...many years now with
that key.

Luckily, all the zones that use it include a single file in their
zonefiles, making key-rolls easy.

I see we've also reached the golden age of dnssec-awareness. Yay. (With
my DayJob hat on, I'm happy about this).

>> 2) I've had a few experiences where I've had a key retrieval failure (DNS
>> issues), and I found that while OpenDKIM adds the X-DKIM header, and logged
>> the error to syslog, there's not a corresponding authentication-results
>> header that would be shown to the user that indicates this was tried and
>> failed Is it possible to "log" this to the mail message?
>
> In such cases you should see:
>
> Authentication-Results: mail.example.com; dkim=permerror
> reason="key not found"

The error I got in my maillogs was simply this:

maillog.3.bz2:Dec 13 01:21:47 quark-vm opendkim[2259]: qBD1LSrY002460: key
retrieval failed (s=dkim2012, d=isc.org): 'dkim2012._domainkey.isc.org'
query failed

And no authentication-results header, but it is 2.5.2 (on the validator
side), so if this is a recent feature addition, I'm not sure. Would you
know offhand? (I'm upgrading now).

> See the "On-DNSError" setting for setting the milter behavior on such
> failures.

Excellent, thanks.

-- 
--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

Received on Mon Dec 17 2012 - 20:04:02 PST

This archive was generated by hypermail 2.3.0 : Mon Dec 17 2012 - 20:09:01 PST