Re: "unprotected key" with DNSSEC

From: Christian Kivalo <>
Date: Thu, 01 Sep 2016 07:45:04 +0200

On 2016-09-01 00:10, Benny Pedersen wrote:
> On 2016-08-31 22:48, SM wrote:
>> I haven't read that part of the code recently. It is not optimal to
>> do a check as the file contents rarely change.
> postfix does not need a anchor file to send to dane_only domains, so
> why does opendkim need one ?
> design fails imho
> but i think its still good that opendkim can have its own if
> dnsservers does not support dnssec, then opendkim can do its job on
> its own, in that case the anchor is needed in opendkim, else its waste
> of resources, and possible one runs with outdated anchor
I'd say you don't need the trustanchor for mode=s (signing) but for
mode=v (verification)

> i will not make that fail here

  Christian Kivalo
Received on Thu Sep 01 2016 - 05:45:26 PST

This archive was generated by hypermail 2.3.0 : Thu Sep 01 2016 - 05:54:01 PST