Re: opendkim, "insecure key", dnssec lookups?

From: SM <>
Date: Wed, 25 Sep 2013 12:52:57 -0700

Hi Andreas,
At 12:02 25-09-2013, Andreas Olsson wrote:
>I'm setting up a new mail server, where I'm using opendkim to validate
>dkim signatures on incoming mail. Noticed something in the added
>Authentication-Results header, which made me wonder.
> Authentication-Results:; dkim=pass
> reason="2048-bit key; insecure key"
> header.b=QkUD6aEe;
> dkim-adsp=pass; dkim-atps=neutral
>The "insecure key" part being what I'm wondering about.
> From what I have understood that is due to a lack of DNSSEC validation
>of the public key?


>The thing is that the zone is signed by DNSSEC, and the mail
>server in question uses a DNSSEC capable resolver. If I run the command
>below in a shell on the mail server I will get a response including the
>ad flag.
> dig +dnssec TXT
>Any chance that opendkim for some reason fails to do a DNSSEC lookup due
>to some missing library/package? If so, any suggestion on how to debug
>that, or what (missing) libraries to look for?

opendkim may not have been compiled with libunbound support or it has
not be configured with a TrustAnchorFile.

Received on Wed Sep 25 2013 - 19:53:57 PST

This archive was generated by hypermail 2.3.0 : Wed Sep 25 2013 - 20:00:01 PST