DKIM key rotation

[link2xt]

We cannot expect admins to rotate the key or change DNS records after setting up a server because, but there should be some way to do it. E.g. a command cmdeploy dns can always suggest to add next key and then if corresponding DKIM public key is already deployed make the server switch to it. Then just running cmdeploy dns from time to time and deploying DKIM records it suggests will rotate the keys at least eventually.

For reference: https://www.m3aawg.org/DKIMKeyRotation

[link2xt]

Let's close this for now as not planned. We also have SSH server keys and TLS keys which are generated on the server. SSH keys are difficult to rotate unless you create a CA or use DANE. For TLS I am not sure if acmetool rotates it, opened an issue with a question: https://github.com/hlandau/acmetool/issues/350

[link2xt]

Reopening the issue. It seems to be feasible to rotate DKIM keys automatically by asking the admin to delegate _domainkey subdomain to config.domain_name and running nsd locally just for this purpose. The only manual action needed is setting up NS record once then.

This will actually simplify the setup for admins because copying DKIM key is usually difficult, especially if DNS provider has bad web UI for this.

Debian has a dkim-rotate package described here: https://diziet.dreamwidth.org/16025.html