dkim-verifier blocks thunderbird until finished

[h1618]

I noticed that loading of email body is delayed when dkim-verifier checks the signature. This is especially visible when there is a DNS timeout (e.g. due to errors in DNSSEC, local unbound will not respond): this freezes thunderbird itself, until the timeout is over or DNSSEC resolution is fixed. This should never happen: the dkim-verifier thread must not block.

[lieser]

I will try to make the add-on non blocking, but it may take some time.

Until then, I recommend you to enable the caching of the DKIM keys (in Options > General). This should reduce the number of times a DNS queries is needed by a lot.

Also note that only the libunbound resolver seems to block on a timeout. So if you can live without the indication in the add-on that a key is not secured by DNSSEC, you could change the resolver to the default JavaScript DNS library until this is fixed.

[h1618]

Thank you for your quick reply. Indeed, I use the libunbound resolver, and would like to keep it - DNSSEC adds significant value to DKIM (public key derived from proven DNS). I will try caching - this should add not much uncertainty as at least the cached DNS is verified.

Thanks - h1618

[lieser]

About the caching: This should have absolutely no negative impact on security. Not just the DKIM key is cached, but also whether the key was protected by DNSSEC or not, so you can still enable the DNSSEC waring in the advanced options if you want.

About the resolver: If I understood you correctly, you use a local unbound server. This server should already verify DNSSEC and should only return data which is either authenticated or insecure ("Insecure data is data which it is known can never be either Authenticated or found Bad", quote from the RFC). Data which fails the authentication should be filtered out by the server. So as long as an attacker is not able to compromise the connection between the add-on and the local DNS server, it should not have a big negative impact on security. The only think you should loose is the ability to distinguish between authenticated and insecure data.

Don't get me wrong, using a DNSSEC aware resolver like libunbound is definitely the best for security. Just wanted to let you know that as long as you use a local DNSSEC aware Server, the negative security impact by using a non DNSSEC aware resolver may be lower that you thought.

[lieser]

A correction of my statement about security if caching is enabled: I was a little hasty an forgot about the ability to revoke a DKIM key. If caching is enabled, such a revocation will not be noticed. Therefore, unlike previously stated, enabling caching can have a negative impact on security.

[lieser]

This will be fixed in the next version (1.4.0). You can already download a pre-release form https://github.com/lieser/dkim_verifier/releases.