opendkim-genkey and "r=" tag

From: Giovanni Bajo <rasky_at_develer.com>
Date: Thu, 25 Aug 2011 18:17:26 +0200

Hi,

opendkim-genkey (in OpenDKIM 2.4.2) generates DNS records which contain the "r=" tag for reporting; by default, it sets "r=postmaster;".

The "r=" tag is described in RFCs such as http://www.dkim.org/specs/draft-kucherawy-dkim-reporting.txt, and to the best of my understanding is not part of the official/original DKIM specification (http://www.ietf.org/rfc/rfc4871.txt).

RFC4871 says in 6.1.2.5:
> If the result returned from the query does not adhere to the
> format defined in this specification, the verifier MUST ignore
> the key record and return PERMFAIL (key syntax error). Verifiers
> are urged to validate the syntax of key records carefully to
> avoid attempted attacks. In particular, the verifier MUST ignore
> keys with a version code ("v=" tag) that they do not implement.


To the best of my understanding, this means that verifiers adhering to RFC4871 MUST return PERMFAIL when presented DNS records as produced by opendkim-genkey by default. In fact, the gmail verifier does this (as can be inferred by the header Authentication-Results added by the GMail smtp system).

I'm pretty new to dkim, but it would look to me that if someone wants to add a specification for a "r=" tag in the DNS, that specification must also increase the "v=" tag version number.

Is this correct or am I missing something?

Thanks!
-- 
Giovanni Bajo   ::  rasky_at_develer.com
Develer S.r.l.  ::  http://www.develer.com
My Blog: http://giovanni.bajo.it
Received on Thu Aug 25 2011 - 16:17:33 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:19 PST