RE: Insecure key/policy?

From: Murray S. Kucherawy <>
Date: Mon, 28 Mar 2011 07:39:21 -0700

[please subscribe to the list so we don't have to manually approve your posts]

> -----Original Message-----
> From: [] On Behalf Of Tanguy Ortolo
> Sent: Monday, March 28, 2011 7:13 AM
> To:
> Subject: Insecure key/policy?
> Hello,
> I have noticed some “insecure key” and “insecure policy” in my
> Authentication-Results headers. This is what I found in
> opendkim.conf(5):
> InsecureKey (string)
> Instructs the filter to treat a passing signature
> associated with an insecure key in a
> special way. Possible values are neutral (return a
> "neutral" result), none (take no spe‐
> cial action; this is the default) and fail (return a
> "fail" result).
> InsecurePolicy (string)
> Instructs the filter to treat an ADSP policy found in an
> insecure DNS record in a special
> way. Possible values are apply (apply the policy; this
> is the default) and ignore
> (ignore the policy).
> However, I could not find what was an insecure key and an insecure DNS
> record. Grepping the source code, I guess that this means that the key
> or the policy DNS record is not DNSSEC'ed. If this is right, may I
> prepare a patch against the manpage?

Sure, send it along. You're right that they mean the key/policy record was retrieved while you're using DNSSEC (i.e., you compiled against unbound) but the data thus retrieved were not protected by DNSSEC.

You shouldn't see those notations at all if you're using any other resolver.
Received on Mon Mar 28 2011 - 14:39:31 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:16 PST