Re: Signing problems with OpenDKIM on Ubuntu

From: Scott Kitterman <ietf-dkim_at_kitterman.com>
Date: Wed, 24 Apr 2013 13:43:34 -0400

On Wednesday, April 24, 2013 10:32:25 AM Murray S. Kucherawy wrote:
> On Tue, 23 Apr 2013, Jim Fenton wrote:
> > I think I'm all set now with my shiny new 1024 bit key. I'm still
> > getting some verification errors but I think that's because a few slave
> > name servers don't have the key record yet.
> >
> > Thanks for all the help! I wonder if this "private key too small" error
> > needs to be syslogged a bit more loudly.
>
> Yes indeed. This is fixed for 2.8.3, which I'll push out later this week
> (it was in the hopper already for some lesser things). I currently have
> the default action set to temp-fail when this happens; should it be
> "accept" (pass the message anyway)? Something is logged in either case.

Since many verifiers won't accept keys << 1024 bits, I think it would be a
mistake to allow signing messages by default. It ought to fail hard and
permanently with (maybe) an option to disable the check.

Why temp-fail? There's nothing temporary about it.

Scott K
Received on Wed Apr 24 2013 - 17:43:48 PST