Re: opendkim-genkey and "r=" tag

From: Giovanni Bajo <rasky_at_develer.com>
Date: Fri, 26 Aug 2011 00:25:47 +0200

Il giorno 25/ago/2011, alle ore 20:08, Murray S. Kucherawy ha scritto:
>> -----Original Message-----
>> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of SM
>> Sent: Thursday, August 25, 2011 10:19 AM
>> To: Giovanni Bajo
>> Cc: opendkim-users_at_lists.opendkim.org
>> Subject: Re: opendkim-genkey and "r=" tag
>>> DKIM specification (http://www.ietf.org/rfc/rfc4871.txt).
>>>
>>> RFC4871 says in 6.1.2.5:
>>>> If the result returned from the query does not adhere to the
>>>> format defined in this specification, the verifier MUST ignore
>>>> the key record and return PERMFAIL (key syntax error). Verifiers
>>>> are urged to validate the syntax of key records carefully to
>>>> avoid attempted attacks. In particular, the verifier MUST ignore
>>>> keys with a version code ("v=" tag) that they do not implement.
>>>
>>> To the best of my understanding, this means that
>>> verifiers adhering to RFC4871 MUST return
>>> PERMFAIL when presented DNS records as produced
>>> by opendkim-genkey by default.
>
> That's not correct. The syntax referred to here is the "tag=value;" list style, and the output of opendkim-genkey conforms to that syntax. Section 3.6.1 of RFC4871 allows for unknown tags:
>
> The overall syntax is a tag-list as described in Section 3.2. The
> current valid tags are described below. Other tags MAY be present
> and MUST be ignored by any implementation that does not understand
> them.
>
> Their presence doesn't break the syntax.

Thanks for the clarification.

>>> In fact, the
>>> gmail verifier does this (as can be inferred by
>>> the header Authentication-Results added by the GMail smtp system).
>
> Not true. The public key record at medusa3._domainkey.blackops.org contains "r=" and "rs=" tags, and Gmail validates it just fine:
>
> Authentication-Results: mx.google.com; spf=pass (google.com: domain of msk_at_blackops.org designates 208.69.40.157 as permitted sender) smtp.mail=msk_at_blackops.org; dkim=pass (test mode) header.i=_at_blackops.org
>
> What error are you getting when you try?

Uhm I was getting "dkim=failed (invalid format)" and the error disappeared when I removed the "r=" tag. But I cannot reproduce this anymore, so I now believe I was simply confused by DNS propagation times while doing several tests.

BTW, these are the headers I get on an e-mail that was sent by my address _at_develer.com, to a mailing-list @lists.develer.com, and then bounced to my address at @gmail.com. They look correct to me, with the double signature, but I'd love a double-check:

Delivered-To: giovannibajo_at_gmail.com
Received: by 10.68.46.134 with SMTP id v6cs14430pbm;
        Thu, 25 Aug 2011 15:14:50 -0700 (PDT)
Received: by 10.227.7.27 with SMTP id b27mr261724wbb.24.1314310489006;
        Thu, 25 Aug 2011 15:14:49 -0700 (PDT)
Return-Path: <depura-bounces_at_lists.develer.com>
Received: from trinity.develer.com (trinity.develer.net [83.149.158.210])
        by mx.google.com with ESMTP id fi20si2760527wbb.11.2011.08.25.15.14.47;
        Thu, 25 Aug 2011 15:14:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of depura-bounces_at_lists.develer.com designates 83.149.158.210 as permitted sender) client-ip=83.149.158.210;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of depura-bounces_at_lists.develer.com designates 83.149.158.210 as permitted sender) smtp.mail=depura-bounces_at_lists.develer.com; dkim=pass header.i=_at_lists.develer.com
Received: from trinity.develer.com (trinity.trilan [10.3.3.1])
        by trinity.develer.com (Postfix) with ESMTP id 483DF621EF7;
        Fri, 26 Aug 2011 00:14:47 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.develer.com;
        s=eolo; t=1314310487;
        bh=x6ppuJA2gCJEg5j/1wKDn31M7UrBDDPLXbHtzJNaIJc=;
        h=From:Date:Message-Id:To:Mime-Version:Subject:Reply-To:List-Id:
         List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
         Content-Type:Content-Transfer-Encoding:Sender;
        b=GOcyK6ksA33wcXPfdD3pXsURLO2cR41bJkFhbMSpIxzKD6z6YTctUDV22+a0THkun
         RRsvLhaIttJ7vwd7JVpzhTduLD8Uic0OOL2cqspGXFUgaPFe7URCa43doOTSCWPSLG
         2oJIM99+3IMOManIH9geU02vJVfRICVtQ1rBenSQ=
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.97 at trinity.develer.com
X-Original-To: depura_at_lists.develer.com
Delivered-To: depura_at_trinity.develer.com
Received: from [192.168.0.110] (93-58-66-108.ip157.fastwebnet.it
 [93.58.66.108]) (Authenticated sender: rasky)
 by trinity.develer.com (Postfix) with ESMTPSA id 35703621EF7
 for <depura_at_lists.develer.com>; Fri, 26 Aug 2011 00:14:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=develer.com;
 s=gongolo; t=1314310485;
 bh=vknaOu017mO2ehLnC12xXLwJFJx/ddOMhBgBjj9sARQ=;
 h=From:Content-Type:Content-Transfer-Encoding:Subject:Date:
 Message-Id:To:Mime-Version;
 b=lVHCQlzwU5TdJxqLuJ1u/z/jGhWLcVXJJpY4wcUH8yYmuaMwVCVtDphownlDPUTyv
 KO1io33bGLcSwwFU2A2UQHiBs8D5Xpfb9EmpXwuPPUiwU5UXhooFkNqEtUTFRONRrY
 8g4h/uM9CuRWWJpXQNHgIRkcmarJ8RWRyPGzKrVs=
From: Giovanni Bajo <rasky_at_develer.com>
Date: Fri, 26 Aug 2011 00:14:43 +0200
Message-Id: <6A89ED07-5A83-4656-8135-A610DF5495E9_at_develer.com>
To: depura_at_lists.develer.com
Mime-Version: 1.0 (Apple Message framework v1244.3)
X-Mailer: Apple Mail (2.1244.3)
Subject: [Depura] test
X-BeenThere: depura_at_lists.develer.com
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: depura_at_lists.develer.com
List-Id: <depura.lists.develer.com>
List-Unsubscribe: <https://lists.develer.com/mailman/options/depura>,
 <mailto:depura-request_at_lists.develer.com?subject=unsubscribe>
List-Archive: <https://lists.develer.com/mailman/private/depura/>
List-Post: <mailto:depura_at_lists.develer.com>
List-Help: <mailto:depura-request_at_lists.develer.com?subject=help>
List-Subscribe: <https://lists.develer.com/mailman/listinfo/depura>,
 <mailto:depura-request_at_lists.develer.com?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: depura-bounces_at_lists.develer.com
Errors-To: depura-bounces_at_lists.develer.com

For the double signing, we simply configured dkim with "SenderHeaders Sender,From", giving precedence to Sender when available (so that it picks up the mailing-list in the bounces). I've seen the Resign* options in opendkim.conf but I'm not sure how they are an improvement over our current setup. Can somebody clarify this maybe?

Thanks!
-- 
Giovanni Bajo   ::  rasky_at_develer.com
Develer S.r.l.  ::  http://www.develer.com
My Blog: http://giovanni.bajo.it
Received on Thu Aug 25 2011 - 22:25:59 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:19 PST