We use 2048-bit RSA SHA256 keys for DKIM, and we run into the issue that the txt-file containing the public-key is not useful for us.
I see that the public-key erb is pretty straight-forward, but it results in a faulty result when a 2048-bit key is used, since BIND cannot handle records longer than 255 bytes. It needs to be split up like:
someselector._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MII..6C"
"Ga..AB" )
Also, when creating keys using the SHA256 hash, the hash-type should be included into the record, which is currently not possible.
When creation takes place with the following command:
/usr/sbin/opendkim-genkey -b 2048 --hash-algorithms=sha256 -D /etc/opendkim/keys/<domain> -d <domain> -s <selector>
we need the DNS-record to look like:
Since this file is not really doing anything for the OpenDKIM process itself, it would also be an option not to manage this file at all, so I can optionally create and manage it myself outside the module, for example with a publickey_manage boolean or by making the public key optional.
The nicest way would be to be able to optionally define a hash type. As far as I know sha1 is the default when not defined.
SHA1 for DKIM is considered obsolete per RFC8301 and must not be used anymore. In the same document is stated that "Signers SHOULD use RSA keys of at least 2048 bits."
cruelsmith
commented
3 months ago
We use 2048-bit RSA SHA256 keys for DKIM, and we run into the issue that the txt-file containing the public-key is not useful for us.
I see that the public-key erb is pretty straight-forward, but it results in a faulty result when a 2048-bit key is used, since BIND cannot handle records longer than 255 bytes. It needs to be split up like:
Also, when creating keys using the SHA256 hash, the hash-type should be included into the record, which is currently not possible. When creation takes place with the following command:
/usr/sbin/opendkim-genkey -b 2048 --hash-algorithms=sha256 -D /etc/opendkim/keys/<domain> -d <domain> -s <selector>we need the DNS-record to look like:Since this file is not really doing anything for the OpenDKIM process itself, it would also be an option not to manage this file at all, so I can optionally create and manage it myself outside the module, for example with a
publickey_manageboolean or by making the public key optional. The nicest way would be to be able to optionally define a hash type. As far as I know sha1 is the default when not defined.SHA1 for DKIM is considered obsolete per RFC8301 and must not be used anymore. In the same document is stated that "Signers SHOULD use RSA keys of at least 2048 bits."