Re: "unprotected key" with DNSSEC

From: Jim Fenton <>
Date: Tue, 30 Aug 2016 22:03:43 -0700

On 8/30/16 6:31 PM, Claus Assmann wrote:
> On Tue, Aug 30, 2016, Jim Fenton wrote:
>> I sent a test message to myself through a forwarder (I had some problems
>> with the milter config after a Linux upgrade) and now it's signing and
>> verifying, but reporting that the key is unprotected. But my domain is
>> DNSSEC signed, so I wonder why I'm seeing this.
>> Authentication-Results:; dkim=pass
>> reason="1024-bit key; unprotected key"
> This is done on the "authorative" server for the domain, right?
> Then DNSSEC does not consider the answer "secure".

Ah, thank you; that's the problem. Didn't realize there was anything
special about running on the same machine as an authoritative DNS server.
> Check the headers of your mail to the list and you see
> the expected result:
> Authentication-Results:; dkim=pass
> reason="1024-bit key; secure key"
> DNSSEC is funny that way...
> You might want to use one of those "auto-responders" for DKIM
> testing.
Yes, I'll do that. I wasn't sure any of them have DNSSEC-signed zones.

Received on Wed Aug 31 2016 - 05:04:01 PST

This archive was generated by hypermail 2.3.0 : Wed Aug 31 2016 - 05:09:00 PST