RE: opendkim-genkey and "r=" tag

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Thu, 25 Aug 2011 11:08:05 -0700

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of SM
> Sent: Thursday, August 25, 2011 10:19 AM
> To: Giovanni Bajo
> Cc: opendkim-users_at_lists.opendkim.org
> Subject: Re: opendkim-genkey and "r=" tag
>
> At 09:17 25-08-2011, Giovanni Bajo wrote:
> >opendkim-genkey (in OpenDKIM 2.4.2) generates
> >DNS records which contain the "r=" tag for
> >reporting; by default, it sets "r=postmaster;".
> >
> >The "r=" tag is described in RFCs such as
> >http://www.dkim.org/specs/draft-kucherawy-dkim-reporting.txt,
> >and to the best of my understanding is not part of the
> official/original
>
> That's an Internet-Draft and not a RFC.

It's also obsolete; it's now draft-ietf-marf-dkim-reporting.

> >DKIM specification (http://www.ietf.org/rfc/rfc4871.txt).
> >
> >RFC4871 says in 6.1.2.5:
> > > If the result returned from the query does not adhere to the
> > > format defined in this specification, the verifier MUST ignore
> > > the key record and return PERMFAIL (key syntax error). Verifiers
> > > are urged to validate the syntax of key records carefully to
> > > avoid attempted attacks. In particular, the verifier MUST ignore
> > > keys with a version code ("v=" tag) that they do not implement.
> >
> >To the best of my understanding, this means that
> >verifiers adhering to RFC4871 MUST return
> >PERMFAIL when presented DNS records as produced
> >by opendkim-genkey by default.

That's not correct. The syntax referred to here is the "tag=value;" list style, and the output of opendkim-genkey conforms to that syntax. Section 3.6.1 of RFC4871 allows for unknown tags:

   The overall syntax is a tag-list as described in Section 3.2. The
   current valid tags are described below. Other tags MAY be present
   and MUST be ignored by any implementation that does not understand
   them.

Their presence doesn't break the syntax.

> >In fact, the
> >gmail verifier does this (as can be inferred by
> >the header Authentication-Results added by the GMail smtp system).

Not true. The public key record at medusa3._domainkey.blackops.org contains "r=" and "rs=" tags, and Gmail validates it just fine:

Authentication-Results: mx.google.com; spf=pass (google.com: domain of msk_at_blackops.org designates 208.69.40.157 as permitted sender) smtp.mail=msk_at_blackops.org; dkim=pass (test mode) header.i=_at_blackops.org

What error are you getting when you try?

-MSK
Received on Thu Aug 25 2011 - 18:08:13 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:19 PST