Re: "unprotected key" with DNSSEC

From: Benny Pedersen <me_at_junc.eu>
Date: Wed, 31 Aug 2016 17:13:09 +0200

On 2016-08-31 07:01, Jim Fenton wrote:
> Yes, apologize for incomplete info. I think one of the subsequent
> answers covered it, but for the record:

[snip]
# opendkim -n -V
opendkim: OpenDKIM Filter v2.10.3
        Compiled with OpenSSL 1.0.2h 3 May 2016
        SMFI_VERSION 0x1000001
        libmilter version 1.0.1
        Supported signing algorithms:
                rsa-sha1
                rsa-sha256
        Supported canonicalization algorithms:
                relaxed
                simple
        Active code options:
                POPAUTH
                QUERY_CACHE
                USE_DB
                USE_ODBX
                USE_UNBOUND
                _FFR_ATPS
                _FFR_DEFAULT_SENDER
                _FFR_IDENTITY_HEADER
                _FFR_RATE_LIMIT
                _FFR_REPLACE_RULES
                _FFR_RESIGN
                _FFR_SENDER_MACRO
                _FFR_STATS
                _FFR_VBR
        libopendkim 2.10.3: atps query_cache

# cat /etc/dnssec/root-anchor.txt
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1470661125 ;;Mon Aug 8 13:58:45 2016
;;last_success: 1470661125 ;;Mon Aug 8 13:58:45 2016
;;next_probe_time: 1470702703 ;;Tue Aug 9 01:31:43 2016
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0
;;lastchange=1470660831 ;;Mon Aug 8 13:53:51 2016

# cat /etc/opendkim/opendkim.conf

AlwaysAddARHeader yes
AuthservID linode.junc.eu
Canonicalization simple/simple
DiagnosticDirectory /var/tmp
Diagnostics no
DomainKeysCompat yes
KeyTable file:/etc/opendkim/KeyTable
LogResults yes
LogWhy yes
MaximumSignaturesToVerify 2
Mode vs
MTA linode.junc.eu
PidFile /var/run/opendkim/opendkim.pid
SenderMacro {mail_addr}
SendReports yes
SignatureTTL 432000
SigningTable file:/etc/opendkim/SigningTable
Socket inet:8891_at_localhost
SoftwareHeader no
StatisticsName linode.junc.eu
Statistics /var/tmp/dkim.dat
SyslogSuccess yes
Syslog yes
UserID milter:milter
ClockDrift 600
MinimumKeyBits 1024
Quarantine no
Nameservers 127.0.0.1
ExternalIgnoreList refile:/etc/opendkim/ignorelist/external
InternalHosts 127.0.0.0/8,::1
On-BadSignature accept
On-Default accept
On-DNSError accept
On-InternalError accept
On-KeyNotFound accept
On-NoSignature accept
On-Security accept
On-SignatureError accept
TrustAnchorFile /etc/dnssec/root-anchors.txt

i still see unprocted from hotmail.com

gmail yahoo google is not helpfull with dnsssec
Received on Wed Aug 31 2016 - 15:13:24 PST