Re: opendkim, "insecure key", dnssec lookups?

From: SM <sm_at_resistor.net>
Date: Wed, 25 Sep 2013 12:52:57 -0700

Hi Andreas,
At 12:02 25-09-2013, Andreas Olsson wrote:
>I'm setting up a new mail server, where I'm using opendkim to validate
>dkim signatures on incoming mail. Noticed something in the added
>Authentication-Results header, which made me wonder.
>
> Authentication-Results: mail.arrakis.se; dkim=pass
> reason="2048-bit key; insecure key"
> header.d=arrakis.se header.i=_at_arrakis.se header.b=QkUD6aEe;
> dkim-adsp=pass; dkim-atps=neutral
>
>The "insecure key" part being what I'm wondering about.
>
> From what I have understood that is due to a lack of DNSSEC validation
>of the public key?

Yes.

>The thing is that the zone arrakis.se is signed by DNSSEC, and the mail
>server in question uses a DNSSEC capable resolver. If I run the command
>below in a shell on the mail server I will get a response including the
>ad flag.
>
> dig +dnssec halleck._domainkey.arrakis.se TXT
>
>Any chance that opendkim for some reason fails to do a DNSSEC lookup due
>to some missing library/package? If so, any suggestion on how to debug
>that, or what (missing) libraries to look for?

opendkim may not have been compiled with libunbound support or it has
not be configured with a TrustAnchorFile.

Regards,
-sm
Received on Wed Sep 25 2013 - 19:53:57 PST