Re: [exim] DKIM pubkey_dns_syntax

Pàgina inicial
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
A: exim-users
Assumpte: Re: [exim] DKIM pubkey_dns_syntax
Jeremy Harris <jgh@???> (Mo 04 Dez 2017 13:09:51 CET):

> > So any record that doesn't start with "v=DKIM1" should Always be skipped!
>
> Which is not what the DKIM RFC says. Therefore, you have set up
> a non-useful DKIM installation.


The RFC talkes about multiple DKIM records, but does it talk about
multiple TXT records with the <selector>._domainkey.<domain> label?

From RFC 6376

7.5. _domainkey DNS TXT Resource Record Tag Specifications

A _domainkey DNS TXT RR provides for a list of tag specifications.
IANA has established the DKIM "_domainkey DNS TXT Record Tag
Specifications" registry for tag specifications that can be used in
DNS TXT resource records.

Does this mean, _domainkey is *reserved* for DKIM? Then clearly all other TXT
records under this label are a misconfiguration. From the following section it
is not clear to me:

3.6.2.2. Resource Record Types for Key Storage

The DNS Resource Record type used is specified by an option to the
query-type ("q=") tag. The only option defined in this base
specification is "txt", indicating the use of a TXT RR. A later
extension of this standard may define another RR type.

Strings in a TXT RR MUST be concatenated together before use with no
intervening whitespace. TXT RRs MUST be unique for a particular
selector name; that is, if there are multiple records in an RRset,
the results are undefined.

TXT RRs are encoded as described in Section 3.6.1.


However, if we're liberal in what we accept, we should be able to
filter-out non-DKIM records. That's what my simple patch does.

--
Heiko