> On Thu 14/Mar/2019 20:30:49 +0100 David L Neil wrote:
>
>> Is it possible, and are there any security objections to, generating keys and
>> opendkim keyfiles (etc) on one machine, for deployment to another?
Thank you Alice and Ale, for confirmation that thinking is on-track.
> I use Murray's opendkim-genkey[*]. It is a Perl script whose core consists of the openssl call that actually generates the key:
> $status = system("openssl rsa -in " . $selector . ".private -pubout -out " . $selector . ".public -outform PEM > /dev/null 2>&1");
Yes, I've found genkey most convenient (from BASH).
I wrote that "The 'generator' machine does not run opendkim". Re-reading
this reminded me that I hadn't gone looking for the opportunity to
download genkey without 'everything else' (I think your web-ref answers).
However, I hadn't realised that it is itself a convenience/helper. If I
decide to write such a tool in Python, I'm thinking that it might as
well 'exec' the base-method (and save an extra download
task/dependency). Thanks for that.
> 4 deploy at appropriate times-of-day
> Check what is the highest TTL among your servers, and schedule a longer interval between key publication and private key deployment. There is nothing wrong in having new public keys collecting mold on the DNS for as long as needed, before private keys are deployed.
I was wondering how long to hold Postfix's outbound queue/SMTP, to allow
for transmissions using 'the old', before posting 'the new'.
This advice seems to suggest leaving 'the old' up, for 'however-long'
*after* installing 'the new'. Do I take it that you always change the
DKIM selector along with the new keys? (common advice is to include a
date-component) That such practice is only possible if one also changes
the selector?
>> Better still: has it already been done/is there some web-based service I've not
>> yet found?
> You mean a public service? Sure you must be joking :-)
Yes, just like the guys who offer open-source DKIM software, postfix
SMTP servers, Dovecot IMAP...
--
Regards =dn
Received on Sun Mar 17 2019 - 01:24:48 PST