Re: [exim-dev] DKIM Signing and renewing DKIM certificates
|This message is part of the following thread:|
|the complete thread tree sorted by date|
|Jeremy Harris at|
|Mark Elkins at|
> create the domain.pem & domain.pub parts, create and publish the > DKIM DNS record with the PUB data as "mail.__domainkey" (where > "mail" is my selector).
1. Your customer sets up CNAMEs for all three inside their domain, so that they have to touch DNS once, to set up the CNAMEs, then never have to change DNS again. You can rotate freely without having to coordinate with different DNS zones. 2. You start with x1. You publish it. You use s=x1 in the DKIM signatures. Leave x1/x2 empty, perhaps a TXT record `""`. As long as no mails are sent using those selectors, no validators will look them up in DNS, so you don't need to care. Just have something so that DNS control panels which check for "something exists for this CNAME" won't make life hard for your customers. 3. Later, you publish x2 in DNS. After a TTL wait, you can start using s=x2 in signatures. 4. You leave x1 in DNS. Let older signatures continue to validate. 5. Somewhere between "some time later" and "when you publish x3", you stop publishing x1 in DNS. Signatures made with that will no longer validate. 6. You publish x3. You unpublish x1 if it's still published. Follow the usual dance. 7. After x3, circle back around to x1.
|This message was posted to the following mailing lists:|
Mailing List Info | Nearby Messages
|[exim-dev] [Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages||[exim-dev] [Bug 2648] Use of $authres in a router headers_add causes segmentation violation for local messages|
|Tahini and Hummus Development Archives administrated by Hummus Admins||Lurker (version 2.3)|