Open link2xt opened 5 months ago
Let's close this for now as not planned. We also have SSH server keys and TLS keys which are generated on the server. SSH keys are difficult to rotate unless you create a CA or use DANE. For TLS I am not sure if acmetool rotates it, opened an issue with a question: https://github.com/hlandau/acmetool/issues/350
Reopening the issue. It seems to be feasible to rotate DKIM keys automatically by asking the admin to delegate _domainkey
subdomain to config.domain_name
and running nsd
locally just for this purpose. The only manual action needed is setting up NS record once then.
This will actually simplify the setup for admins because copying DKIM key is usually difficult, especially if DNS provider has bad web UI for this.
Debian has a dkim-rotate
package described here:
https://diziet.dreamwidth.org/16025.html
We cannot expect admins to rotate the key or change DNS records after setting up a server because, but there should be some way to do it. E.g. a command
cmdeploy dns
can always suggest to add next key and then if corresponding DKIM public key is already deployed make the server switch to it. Then just runningcmdeploy dns
from time to time and deploying DKIM records it suggests will rotate the keys at least eventually.For reference: https://www.m3aawg.org/DKIMKeyRotation