#27 Verifier problem

v0.3.2
closed
5
2006-03-30
2006-01-28
Bert Jansen
No

The verifier program doesn't work as stated in the
internet draft. Testing took me a lot of time because
off dns-caching so i inserted a low TTL.

I discovered the following:

When you put "g=; k=rsa; t=y; p=fooblahblahkey" in
the dns zone file then everything works nicely.

If you want to use it in a production environment and
decided to leave the "t=y" out then all tests will
fail even if it shouldn't.

I made a few dns query's and checked some of the
selectors of sites who offer the possibility to check
the program. All the sites that have a record without
the "t=y" option will fail the verification.

I do not know if this is only related to version
0.3.2 but at this moment it's not following the draft.

Hope you can do something about it.

Kind regards,
Bert Jansen.

Discussion

  • Bert Jansen
    Bert Jansen
    2006-01-28

    • assigned_to: nobody --> sm-msk
     
    • summary: Verifier problem v0.3.2 --> Verifier problem
    • labels: --> Functionality
    • milestone: --> v0.3.2
     
  • Logged In: YES
    user_id=1048957

    Is there anything logged about why each of the attempts is
    failing?

     
  • Bert Jansen
    Bert Jansen
    2006-02-01

    t=y flag tests.

     
  • Bert Jansen
    Bert Jansen
    2006-02-01

    Logged In: YES
    user_id=1438371

    DKDEBUG gives no valuable information so i attached
    a unix textfile containing several testmails about this
    subject.

    Hope that it makes things clear for you.

     
  • Logged In: YES
    user_id=1048957

    These results are unfortunately even more confusing. What
    this tells me is that if you remove test mode from your
    signing policy, you sign things differently. This is
    especially strange because when dk-filter is signing, it
    pays no attention to your signing policy.

    Your report also shows that with "t=y" removed your side
    verifies signed messages properly, so in fact verification
    works in both cases.

    I'll see if I can reproduce this behaviour.

     
  • Bert Jansen
    Bert Jansen
    2006-02-05

    Logged In: YES
    user_id=1438371

    It is confusing but i eliminated the t= flag because when
    i put the following in my DNS:

    selector._domainkey.my.net "g=; k=rsa; p=kkeeyyetcetcetc"
    _domainkey.my.net "o=~"

    Then the tests pass.

    When i put the following in DNS:

    selector._domainkey.my.net "g=; k=rsa; p=kkeeyyetcetcetc"
    _domainkey.my.net "o=-" <<<<< It's the policy flag!

    Then the tests will fail.

    I noticed that in the dklib source this flag is used in
    the verification part and sets dk-signall. But if we sign
    for the whole domain it fails, so i think the function
    exits with a wrong status.

     
  • Logged In: YES
    user_id=1048957

    Again though, this is claiming that if you change your
    signing policy, somehow you sign things differently. Since
    the signing code in dk-milter never checks your signing
    policy (it doesn't have to), and the attachment you included
    shows your side verifying the replies properly both before
    and after the change, there's no evidence (yet) of a bug in
    dk-milter.

    After a closer look at your attachment, it shows that when
    our autoresponder (sendmail.net) replied to you the second
    time, it said you had not attached a signature (note the
    comment on the Authenticatin-Results: header for
    "domainkeys"). If you look at the headers it received,
    there is indeed no signature present.

    Did you make any changes to your command line arguments to
    dk-filter?

     
  • Bert Jansen
    Bert Jansen
    2006-02-08

    Logged In: YES
    user_id=1438371

    Dear Murray,

    There's a little misunderstanding because from the
    beginning on i am talking about what the receiving party
    does. It's the verification part of the milter that
    fetches the dns-record and take the action.

    First I thought that the testflag did it, but after a lot
    of testing and using the absolute minimum in dns, it's
    100% clear to me now. It is the policy flag that causes
    all these trouble and after reading the libdk-source it's
    clear to me that at this moment the program is broken.

    A new textfile containing the last tests and info will
    absolutely convince you that i'm right.

    Regards,
    Bert.

     
  • Bert Jansen
    Bert Jansen
    2006-02-08

    policy flag problem

     
  • Logged In: YES
    user_id=1048957

    Based on that second attachment:

    In your original messages, your DomainKey-Signature: header
    is being appended close to the end of your message. Under
    the DK specification, that header must be prepended because
    the headers it protects must come after it.

    The signing code for dk-filter explicitly prepends those
    headers (using a call to smfi_insheader(), which was
    expressly added for this purpose). My guess is there's a
    mismatch in versions between your libmilter and/or MTA and
    dk-filter which is resulting in the signature header being
    appended rather than prepended.

    The "no signature" is a little puzzling though.

     
    • status: open --> closed
     
  • Logged In: YES
    user_id=1048957

    Marked "pending", awaiting a response from the author.

     
    • status: closed --> pending
     
  • Logged In: YES
    user_id=1312539

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
    • status: pending --> closed