#20 check public DKIM key before signing

v2.3.0
closed-accepted
7
2007-11-30
2007-10-12
Daniel Black
No

A problem for new users may be if they deploy dkim-milter without putting their public key in DNS first.

Suggestion

During startup and/or before signing a message for the first time. verify that the public key is the same as the selector dkim-milter is about to sign.

Discussion

  • Daniel Black
    Daniel Black
    2007-10-12

    Logged In: YES
    user_id=612034
    Originator: YES

    the _ssp could also be checked as well and grounds for a loudish warning if its missing.

     
    • milestone: --> v2.3.0
    • priority: 5 --> 4
    • assigned_to: nobody --> sm-msk
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    Not a bad idea. Might go in a separate tool binary though.

     
  • Daniel Black
    Daniel Black
    2007-10-13

    Logged In: YES
    user_id=612034
    Originator: YES

    i'm 1/2 way through a dkim-milter inline patch.

     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    I came up with this last night. There's one new file in libdkim/ and one new file in dkim-filter/ which makes use of it. I'll post Makefile.m4 changes (or perhaps a complete patch) as well in a bit though you may figure them out yourself before I get that done.

    This is more of a proof-of-concept than something official.
    File Added: dkim-test.c

     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    File Added: testkey.c

     
  • Daniel Black
    Daniel Black
    2007-10-16

    Logged In: YES
    user_id=612034
    Originator: YES

    nice start. yes i've worked out the make changes. i'm adding a dkim_test_domain function to libdkim and a stand alone testdomain.c. I'll test your code a bit too.

     
    • priority: 4 --> 7
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    There exist an increasing number of reasons to do it as a standalone tool, and do so soon, so I'll very likely go that route.

    The two files I posted show the concept but need a lot more in the way of diagnostics and reporting, as well as a man page or other documentation.

    Some version of one of our solutions will almost certainly appear in 2.4.0 which is now planned for mid-November.

     
  • Daniel Black
    Daniel Black
    2007-10-17

    testdomain - _ssp parser stand alone tool

     
    Attachments
  • Daniel Black
    Daniel Black
    2007-10-17

    Logged In: YES
    user_id=612034
    Originator: YES

    standalone lookup of policy for a domain.I guess next step is to print out the set of tags

    I'm thinking the gentoo.org result is incorrect as it seems to be parsing SPF record and treating them as a valid policy. The manditory (draft-ietf-dkim-ssp-01, 4.3) txt dkim= tag probably should be checked.

    $ ./testdomain gentoo.org
    Policy for domain gentoo.org is top-level domain

    $ ./testdomain yahoo.com
    Policy for domain yahoo.com is policy "unknown"

    File Added: testdomain.c

     
  • Daniel Black
    Daniel Black
    2007-10-17

    patch to libdkim/dkim-test.c

     
    Attachments
  • Daniel Black
    Daniel Black
    2007-10-17

    Logged In: YES
    user_id=612034
    Originator: YES

    File Added: patch

     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    A "dkim-testkey" utility is now a part of the upcoming 2.4.0 release. Thanks for your suggestion!

    Looking at your other files now.

     
  • Proposed patch #2 (libdkim/dkim-test.c)

     
    Attachments
  • Logged In: YES
    user_id=1048957
    Originator: NO

    I've rolled a "dkim-testssp" program based on your code. I'll attach the latest files now and delete the old ones.
    File Added: dkim-test.c

     
  • Proposed patch #2 (libdkim/dkim-test.h)

     
    Attachments
  • Logged In: YES
    user_id=1048957
    Originator: NO

    File Added: dkim-test.h

     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    File Added: dkim-testkey.c

     
  • Proposed patch #2 (dkim-filter/dkim-testkey.c)

     
    Attachments
  • Proposed patch #2 (dkim-filter/dkim-testssp.c)

     
    Attachments
  • Logged In: YES
    user_id=1048957
    Originator: NO

    File Added: dkim-testssp.c

     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    v2.4.0 released, containing new "dkim-testkey" and "dkim-testssp" utilities (and corresponding man pages).

     
    • status: open --> closed-accepted