RE: Broken opendkim caching of LDAP result

From: Quanah Gibson-Mount <>
Date: Mon, 07 May 2012 15:22:56 -0700

--On Monday, May 07, 2012 10:05 PM +0000 "Murray S. Kucherawy"
<> wrote:

>> -----Original Message-----
>> From: Quanah Gibson-Mount []
>> Sent: Monday, May 07, 2012 2:45 PM
>> To: Rolf E. Sonneveld; Murray S. Kucherawy
>> Cc:
>> Subject: Re: Broken opendkim caching of LDAP result
>> AD's inability to be a real LDAP server doesn't make my point any less
>> valid. LDAP is designed for fast, scalable reads.
> AD might be why that optional caching layer was added, actually. (I
> can't remember exactly, and this head cold isn't helping!)
> Via a separate compile time option, OpenDKIM can also cache retrieved
> keys to keep the load on DNS down, rather than going to the resolver each
> time something signed is presented for verification.

I can see that the likelyhood of data changing in DNS is probably fairly
low. ;) LDAP generally has a higher rate of change.

In any case, disabling the ldap caching works well. I would put a strong
warning around the LDAP cache option that enabling it requires restarting
opendkim any time you make changes to the LDAP data that could affect


Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration
Received on Mon May 07 2012 - 22:23:23 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:40 PST