[Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "p=")
Jan Dušátko <jan@dusatko.org> Tue, 16 May 2023 14:00 UTC
Return-Path: <jan@dusatko.org>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70BC3C14CE29 for <ietf-dkim@ietfa.amsl.com>; Tue, 16 May 2023 07:00:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dusatko.org header.b="EbhjR/T1"; dkim=pass (2048-bit key) header.d=dusatko.org header.b="ZMDooLH0"; dkim=pass (2048-bit key) header.d=dusatko.org header.b="ENtju4Uk"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wqy1l9rhzNzm for <ietf-dkim@ietfa.amsl.com>; Tue, 16 May 2023 07:00:45 -0700 (PDT)
Received: from vhost.cz (hermes.vhost.cz [82.208.29.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B88CC14CF1A for <ietf-dkim@ietfa.amsl.com>; Tue, 16 May 2023 07:00:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.vhost.cz (Postfix) with ESMTP id 8DBFF80425 for <ietf-dkim@ietfa.amsl.com>; Tue, 16 May 2023 16:00:37 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1684245637; bh=dxSmT4DkVzaOb84OmVAvUBtZQXh1e5yPi5hIFAsD7Jk=; h=Date:From:Subject:To:From; b=EbhjR/T1FYfisvJ9NnKqKi0R7ZGJcSnBiiAPJrcaynL+E/n3TwrT6uNlnO1wqus59 beXzjP/BCTIEXw0qAonHWcocufptXdTOo+bTKBBmn5a303I/s7JCGILz2YGu0iTQK/ 70jLETdNohkGWx6/43Ul30c+aj8ez4Ufre2jHdG3eUsvzgO/t2DitWb5NfWgs6VAtY py0FnxambcKOlexm/6ePXw69Urx4fdem/hjWPQz7Htd4RJdZM1MJElYP6/G6TVhjM5 e8svGLwAZrhFblRQWXrJ38ZW17l11UkJ/hH0mrQGnKJO0RC/6Ipah0ewAXjeky3Z88 O3POyVmXETzwQ==
X-Virus-Scanned: Debian amavisd-new at hermes.vhost.cz
Received: from vhost.cz ([127.0.0.1]) by localhost (hermes.vhost.cz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y71-fFJnDQ04 for <ietf-dkim@ietfa.amsl.com>; Tue, 16 May 2023 16:00:32 +0200 (CEST)
Received: by hermes.vhost.cz (Postfix, from userid 115) id 394AD8042D; Tue, 16 May 2023 16:00:32 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1684245632; bh=dxSmT4DkVzaOb84OmVAvUBtZQXh1e5yPi5hIFAsD7Jk=; h=Date:From:Subject:To:From; b=ZMDooLH0Mc+pmVuWbkmEM/zSeo6CP5BcL7V3CJLEfCflqVdQHrzclVYNsDkdIGqlt c9pcNQqZ52auWs6oeZfVZZFYlhGTwm76UVOoFN536ZRKRP4x/qbv2EzOOxg4oFbSKG hMgHlsPf7mS9h8HUMCrf+ou0+yX1d1V6m+Yt0u9J/asyR/7gTyOi1wuX6Kkz6jUOWd Ni1Oxg74Fg9X30LrM/TkNidBWKVLRzT9peJb8wZx2g8bxH1i8YAD/pgfILqHHU/QPr 1d+rsnMxym+RnN8nO5fA42B8pn9iaOgz1g2042vU/EyjLpyQDV9HTnLF9lQfsr/UVY urvB76Nyx6LRQ==
X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamdav/clamd.ctl': connect: No such file or directory)
X-Spam-Pyzor: Reported 0 times.
X-Spam-DCC: :
Received: from [192.168.1.160] (static-84-242-66-51.bb.vodafone.cz [84.242.66.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by hermes.vhost.cz (Postfix) with ESMTPSA id 8024A80425 for <ietf-dkim@ietfa.amsl.com>; Tue, 16 May 2023 16:00:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1684245629; bh=dxSmT4DkVzaOb84OmVAvUBtZQXh1e5yPi5hIFAsD7Jk=; h=Date:From:Subject:To:From; b=ENtju4UkZRq/hUJ/z2wUDOSPstKKgXr1mfnOGAtk8sehPQZ/5gmSMKUdw2PrxlUxb v5zDEQ+hqIrR0bUfxqTSdxMf6dNrswfqQYAs69+hs22m+7NCg2QllrhOhIkWzolfrE tq9AycQqYUSKjgivUFXO6Oqk9VOGNdk3kOBDwotXphRj3lCW2amF5/BizkN3lFDJ9N hjFBLOeujhQyhZG+cjdRVWn5Mxhx+c6eELUNgzKCWrI2TtK5AgggWP2NiSnN06uss/ mU4YN7a3l6W2vVq2jySFIOBFes72Y5kxNIZsx1oy+CYN9yNN8bOuCp9kEZHYSRnGdG +cxYFUTaiZ7Yg==
Message-ID: <e2afdc9b-3c71-a045-8fff-0cd9095a8464@dusatko.org>
Date: Tue, 16 May 2023 16:00:27 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1
From: Jan Dušátko <jan@dusatko.org>
To: ietf-dkim@ietfa.amsl.com
Content-Language: en-GB
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/mA6WQLfVGBG6-j0q6XlIYqpoRQU>
Subject: [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "p=")
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2023 14:00:49 -0000
Hi, I would like to ask how you feel about the possibility of changing the conditions for DKIM keys stored in DNS. Best in some future RFC release about DKIM itself. I have a practical experience during review and cleaning of thousands of domain, which is exhausting. And discussion about that keys also with 3rd party is sometimes hard. In situation that you would like to discuss that, I can provide kind of examples. 1) At this moment, the use of the tag "v=DKIM1;" is only RECOMMENDED and if this tag is used, it must be the first. Unlike, for example, SPF and DMARC, this is not a REQUIRED (MANDATORY) record. In case of an attempt to identify DKIM records, then there is a situation where it is not possible to determine which records are DKIM keys. Often, these keys are in other places where they allow to create CNAME to the expected location of the selector. These locations may be application dependent or may be with third parties configuration. From my perspective, MANDATORY record "v=DKIM1;" could help to identify DKIM keys much easily. 2) Is it possible to specify precisely under which conditions the DKIM key is valid? Some third party records contain only an empty record "", others contain only revoked key like "p=" or it is a reference to a non-existent record. Unfortunately, RFCs do not provide unambiguous information on under which conditions this record is invalid. From my perspective, use of non-existing records or empty strings can draw that key useless, but rules specifying that in RFC or BCP will be welcome. 3) The "p=key" information containing the key material information encoded by Base64 should occur in the key exactly once. I did not find a condition in RFC for the existence of this record. I found only information on implementation behavior, when "p=", i.e. an empty key material, is considered revoked. However, it is not unambiguous whether this approach is acceptable. Also specification of that rules can make my life much easier. Regards Jan -- -- --- ----- - Jan Dušátko Tracker number: +420 602 427 840 e-mail: jan@dusatko.org GPG Signature: https://keys.dusatko.org/E535B585.asc GPG Encrypt: https://keys.dusatko.org/B76A1587.asc
- [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "p=") Jan Dušátko
- Re: [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "… Steve Atkins
- Re: [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "… Steve Atkins
- Re: [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "… Murray S. Kucherawy
- Re: [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "… Dave Crocker
- Re: [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "… Jan Dušátko
- Re: [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "… Jan Dušátko
- Re: [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "… Barry Leiba
- Re: [Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "… Dave Crocker