IETF Logo Mail Archive

[Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

Steffen Nurpmeso <steffen@sdaoden.eu> Wed, 06 March 2024 22:44 UTC

Return-Path: <steffen@sdaoden.eu>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB23C14F69F for <ietf-dkim@ietfa.amsl.com>; Wed, 6 Mar 2024 14:44:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sdaoden.eu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CpydURtHiP3A for <ietf-dkim@ietfa.amsl.com>; Wed, 6 Mar 2024 14:44:53 -0800 (PST)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7A9EC14F680 for <ietf-dkim@ietf.org>; Wed, 6 Mar 2024 14:44:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sdaoden.eu; s=citron; t=1709765091; h=date:author:from:to:subject:message-id:author: from:subject:date:to:cc:in-reply-to:references:message-id; bh=DjlZLl9iAjbj41AoOVTGBNn0AnWkE0boCgS77xkpJWw=; b=BTVdCnA0jZ4olrWyWjhphgvgTxClBGJPHvo+W5JFwcM2eNV6RxdJmwhsVmqv7h7gfb02k9id ovV33nQ3w+0QqCNzdxTnQL9W1zKTaW6Lj9HneT0b1yiW9tmOeBkuKG42EjB+NqjdtM3ECpJfTL fCsVrM2SZ3ItPIKYRzOn5lcPiADk9dNik6cN/NDCLnZR1XkZf70i5NJ5ZAXGalo8TBX+neH8DE SsBQb3AK9q9GHY1Wf19afxsp1RNZ97pSJJIySqwT7R6uloIwiXFU5kzkj67N9QA4zt1uNefDVm 4hxsykLxo5ba5S61dOMBFJqNf7U7vzAjyo/SuPqUiyWkUhsg==
Date: Wed, 06 Mar 2024 23:44:51 +0100
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: ietf-dkim@ietf.org
Message-ID: <20240306224451.WnpRQ38z@steffen%sdaoden.eu>
Mail-Followup-To: ietf-dkim@ietf.org
User-Agent: s-nail v14.9.24-608-gfa6c5c5231
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/NJL3gO0dPhWZtfaQ6nVgMaP7n1U>
Subject: [Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 22:44:58 -0000

--- Forwarded from Steffen Nurpmeso <steffen@sdaoden.eu> ---
Date: Wed, 06 Mar 2024 23:43:00 +0100
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
...
Subject: Re: [..] Recommendation for dkim signing
Message-ID: <20240306224300.AvxERJ7Z@steffen%sdaoden.eu>
...

One. Last. Message. Of mine.

And sorry for all this mostly off-topic noise.

Steffen Nurpmeso wrote in
 <20240306214948.V5gSjSiU@steffen%sdaoden.eu>:
 ...
 |So now that i have DKIM myself i tested.
 |And *no* verification software i can reach actually supports
 |Ed25519-sha256 as of RFC 8463 from September 2018!
 |It is even *worse* than that.
 ...
 |  - Microsoft: fails the DKIM test if a RFC 8463 signature is
 |    present, no matter whether first or last!!!
 |    Is this *really* true?  That is really bad.

      + It even actively fails SHA1 DKIM signatures.
        I know these are deprecated, but if i use a rsa-sha1 and
        a rsa-sha256 signature in that order:

      Authentication-Results: spf=pass (sender IP is 217.144.132.164)
       smtp.mailfrom=sdaoden.eu; dkim=fail (body hash did not verify)
       header.d=sdaoden.eu;dmarc=bestguesspass action=none
       header.from=sdaoden.eu;compauth=pass reason=109

        The *very*same* message/-checkum passes Google:

      Authentication-Results: mx.google.com;
       dkim=pass (test mode) header.i=@sdaoden.eu header.s=lemon header.b=meYlPkTE;
       dkim=pass (test mode) header.i=@sdaoden.eu header.s=citron header.b=Cehr1W9z;
       spf=pass (google.com: domain of steffen@sdaoden.eu designates 217.144.132.164 as permitted sender) smtp.mailfrom=steffen@sdaoden.eu

        Looking at that.  Say, the Microsoft
        Authentication-Results: does not denote its own domain
        name, no?  Ie i could not strip it.  I have not read RFC
        8601 for very too long to know, though.
        They do not look at the h=sha1 of the DNS record, do they.
        They do not look at the a= of the DKIM signature.

  ...
 |  - Place a single signature.
 |
 |  - It must be RSA-sha256.

And exactly only that.

 |RFC 6376 surely would have deserved something better.

Good night, greetings, and
Ciao from Germany,
 -- End forward <20240306224300.AvxERJ7Z@steffen%sdaoden.eu>

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

v2.23.0 | Report a Bug | By Email