#27 Verifier problem

Bert Jansen

The verifier program doesn't work as stated in the
internet draft. Testing took me a lot of time because
off dns-caching so i inserted a low TTL.

I discovered the following:

When you put "g=; k=rsa; t=y; p=fooblahblahkey" in
the dns zone file then everything works nicely.

If you want to use it in a production environment and
decided to leave the "t=y" out then all tests will
fail even if it shouldn't.

I made a few dns query's and checked some of the
selectors of sites who offer the possibility to check
the program. All the sites that have a record without
the "t=y" option will fail the verification.

I do not know if this is only related to version
0.3.2 but at this moment it's not following the draft.

Hope you can do something about it.

Kind regards,
Bert Jansen.


  • Bert Jansen

    Bert Jansen - 2006-01-28
    • assigned_to: nobody --> sm-msk
  • Anonymous - 2006-01-30
    • summary: Verifier problem v0.3.2 --> Verifier problem
    • labels: --> Functionality
    • milestone: --> v0.3.2
  • Anonymous - 2006-01-30

    Logged In: YES

    Is there anything logged about why each of the attempts is

  • Bert Jansen

    Bert Jansen - 2006-02-01

    Logged In: YES

    DKDEBUG gives no valuable information so i attached
    a unix textfile containing several testmails about this

    Hope that it makes things clear for you.

  • Anonymous - 2006-02-01

    Logged In: YES

    These results are unfortunately even more confusing. What
    this tells me is that if you remove test mode from your
    signing policy, you sign things differently. This is
    especially strange because when dk-filter is signing, it
    pays no attention to your signing policy.

    Your report also shows that with "t=y" removed your side
    verifies signed messages properly, so in fact verification
    works in both cases.

    I'll see if I can reproduce this behaviour.

  • Bert Jansen

    Bert Jansen - 2006-02-05

    Logged In: YES

    It is confusing but i eliminated the t= flag because when
    i put the following in my DNS:

    selector._domainkey.my.net "g=; k=rsa; p=kkeeyyetcetcetc"
    _domainkey.my.net "o=~"

    Then the tests pass.

    When i put the following in DNS:

    selector._domainkey.my.net "g=; k=rsa; p=kkeeyyetcetcetc"
    _domainkey.my.net "o=-" <<<<< It's the policy flag!

    Then the tests will fail.

    I noticed that in the dklib source this flag is used in
    the verification part and sets dk-signall. But if we sign
    for the whole domain it fails, so i think the function
    exits with a wrong status.

  • Anonymous - 2006-02-06

    Logged In: YES

    Again though, this is claiming that if you change your
    signing policy, somehow you sign things differently. Since
    the signing code in dk-milter never checks your signing
    policy (it doesn't have to), and the attachment you included
    shows your side verifying the replies properly both before
    and after the change, there's no evidence (yet) of a bug in

    After a closer look at your attachment, it shows that when
    our autoresponder (sendmail.net) replied to you the second
    time, it said you had not attached a signature (note the
    comment on the Authenticatin-Results: header for
    "domainkeys"). If you look at the headers it received,
    there is indeed no signature present.

    Did you make any changes to your command line arguments to

  • Bert Jansen

    Bert Jansen - 2006-02-08

    Logged In: YES

    Dear Murray,

    There's a little misunderstanding because from the
    beginning on i am talking about what the receiving party
    does. It's the verification part of the milter that
    fetches the dns-record and take the action.

    First I thought that the testflag did it, but after a lot
    of testing and using the absolute minimum in dns, it's
    100% clear to me now. It is the policy flag that causes
    all these trouble and after reading the libdk-source it's
    clear to me that at this moment the program is broken.

    A new textfile containing the last tests and info will
    absolutely convince you that i'm right.


  • Anonymous - 2006-03-06

    Logged In: YES

    Based on that second attachment:

    In your original messages, your DomainKey-Signature: header
    is being appended close to the end of your message. Under
    the DK specification, that header must be prepended because
    the headers it protects must come after it.

    The signing code for dk-filter explicitly prepends those
    headers (using a call to smfi_insheader(), which was
    expressly added for this purpose). My guess is there's a
    mismatch in versions between your libmilter and/or MTA and
    dk-filter which is resulting in the signature header being
    appended rather than prepended.

    The "no signature" is a little puzzling though.

  • Anonymous - 2006-03-16
    • status: open --> closed
  • Anonymous - 2006-03-16

    Logged In: YES

    Marked "pending", awaiting a response from the author.

  • Anonymous - 2006-03-16
    • status: closed --> pending
  • SourceForge Robot

    Logged In: YES

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

  • SourceForge Robot

    • status: pending --> closed

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks