From: Murray S. Kucherawy <>
Date: Fri, 18 Dec 2009 14:10:19 -0800 (PST)

You've probably seen the RFE and related conversation about querying a
database, perhaps even LDAP, to see if a specific domain should be signed
and, if so, which key to use.

First, adding LDAP to the opendkim database stuff will be a chore, not to
mention the possible side effort of getting a schema published at the
IETF. Documentation for OpenLDAP is reputed to be poor, and there's not
much in the way of examples to work from either. But I don't expect this
is the last time we'll get such a request, so it really should be on the

Second, it's a bit of an oversight for me not to have tied the KeyList
into the new database code somehow. The catch is that the KeyList
supports regular expressions, where querying a database can't do so; you'd
have to give a user_at_host or just a host, and it comes back with a "no" or
"yes, with this selector/key". It's hard to do that using a large-scale
database like LDAP or SQL; you can't (as far as I know, but could be
wrong) have an entry containing a wildcard, so that a query for "xyz"
returns a stored value for "*y*". Obviously the opposite is true, but
that doesn't help us here. So if we tie the KeyList to the new database
code, we lose pattern matching. But maybe that's okay because nobody
really needs it.

So I propose this: We leave the KeyList in there for now in case someone
is using it for the pattern matching, but also add a new database called
the KeyTable. The database thus referenced has to be able to do key-value
queries (SQL or BDB, really), and the keys would be domains taken from
From: header fields, and the values would be of the from "name:sigkey"
where "name" is the name of the selector to be used for signing (the
domain would be the From: domain) and "sigkey" is the text representation
of the private key to be used to generate signatures. Both the BDB and
SQL approaches lend themselves to changes to the underlying data without
having to reconfigure or restart opendkim, and LDAP will as well once
added. And if nobody's really using the KeyList feature, we eventually
deprecate and remove it.

Do we think that would be sufficient, at least for now? Anything wrong
with my thinking?

I'll try to find some good references for adding LDAP support, but I'm not
too hopeful...
Received on Fri Dec 18 2009 - 22:10:39 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:32:30 PST