opendkim-genkey changes

From: Quanah Gibson-Mount <>
Date: Mon, 05 Nov 2012 15:36:34 -0800

In upgrading from opendkim 2.6.0 to 2.7.1, there appears to have been a
significant change to the defaults when opendkim-genkey is run.
Specifically, it sets "t=s". Per RFC4871, section 3.8, setting this by
default does not appear to be the correct action to take, as it is a "may":

3.8. Signing by Parent Domains

   In some circumstances, it is desirable for a domain to apply a
   signature on behalf of any of its subdomains without the need to
   maintain separate selectors (key records) in each subdomain. By
   default, private keys corresponding to key records can be used to
   sign messages for any subdomain of the domain in which they reside;
   e.g., a key record for the domain can be used to verify
   messages where the signing identity ("i=" tag of the signature) is, or even In order to limit
   the capability of such keys when this is not intended, the "s" flag
   may be set in the "t=" tag of the key record to constrain the
   validity of the record to exactly the domain of the signing identity.
   If the referenced key record contains the "s" flag as part of the
   "t=" tag, the domain of the signing identity ("i=" flag) MUST be the
   same as that of the d= domain. If this flag is absent, the domain of
   the signing identity MUST be the same as, or a subdomain of, the d=
   domain. Key records that are not intended for use with subdomains
   SHOULD specify the "s" flag in the "t=" tag.

Is this simply a mistake from moving it from perl to C, or is there an
underlying reasoning as to why this change was made that I'm missing?



Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration
Received on Mon Nov 05 2012 - 23:36:53 PST

This archive was generated by hypermail 2.3.0 : Mon Nov 05 2012 - 23:45:02 PST