Re: [exim] DKIM pubkey_dns_syntax

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] DKIM pubkey_dns_syntax
Mike Brudenell via Exim-users <exim-users@???> (Mo 04 Dez 2017 16:11:15 CET):
> Strictly speaking the RFC says that the tag name ("v") MUST be compared
> case-insensitively, and its value compared case-sensitively unless the
> specific description for the tag says otherwise.
>
> The description for "v" doesn't mention allowing case-insensitive
> comparisons for its value, but does say the value MUST be "DKIM1". (Hence
> we're being generous (and non-conformant) by comparing the tag's value case
> insensitively.


The RegEx I showed was just for illustrative purpose.
The real code uses strncasecmp(<rrdata>, 'v=dkim', 6)

> A couple of other points though:
>
>    - We should perhaps have the pattern anchored to the end of the string
>    with a "$" as the RFC explicitly says a string comparison myst be done, and
>    that "DKIM1" is *not* the same as "DKIM1.0" (which the current pattern
>    would allow)?

>
>    - The "v" tag doesn't appear to be mandatory, but only recommended, and
>    if omitted should default to "DKIM1". So strictly speaking if we're
>    insisting on the presence of "v=DKIM1" to consider the DNS record to be
>    valid we're being overly restrictive. If it's missing the "v" tag but is
>    otherwise a syntactically correct DKIM record it should have its value used.


Ok, that's a valid point to consider.
I I got it right

    strncasecmp(<rrdata>, 'v=dkim', 6)
    strncmp(<rrdata>, 'DKIM', 4)


would be closer than the current approach and hopefully close enough to
the RFC?

Maybe I'll check how far we can rely on the function that really parses
the DKIM record, to find the first valid DKIM record (skipping all
invalid records).

@Jeremy: We get close to your recommendation, collecting the strings in
a list and then pass the list to the pdkim_parse_pubkey (or similiar)
function.

--
Heiko