dkim-ops
[Top] [All Lists]

Re: [dkim-ops] blackops.org fixed

2006-06-09 04:14:07
On Thu, 8 Jun 2006, Murray S. Kucherawy wrote:

On Thu, 8 Jun 2006, Dan Mahoney, System Admin wrote:
Apologies for the horrid wrapping, but I'm not seeing the right header here:

There should still be an Authentication-Results header if it's failing, yes?

As coded right now, that header is added on failed verifications only if it got as far as deciding if the signature was both present and able to be verified. In this case the latter condition was not met so no header was added.

In particular, your published key record contains the tag "g=" with no value. According to base-02 (and in fact I think all of the DKIM drafts), that matches no users, so the key was used by an unauthorized user and thus the signature was to be ignored. dkim-filter therefore acted like there was no signature present.

AAH!  Shite!

This is DIFFERENT from what I've seen in some of the domainkeys drafts, which state:

g = granularity of the key (the default of '' = all domain, which
        means that any left-hand-side of the @ is valid with this
        DomainKey)

        (Though not yet defined, one possible interpretation for
        non-empty values is that they could represent a Base64 SHA1
        fingerprint of the email address used to identify the sending
        domain. This, though, does not handle the notion of tagged
        addresses as well as one would like.)

Does this necessarily mean I should have to use a different key for dkim and domainkeys? Does the domainkeys spec understand *?

Oh, I see where I got it.  The INSTALL file in the dkim-milter tarball:

    (iii) Add a TXT DNS record containing the base64 encoding of your public
          key, which is everything between the BEGIN and END lines in the
          rsa.public file generated above, with spaces and newlines removed.
          It should be in this form:

          "g=; k=rsa; t=y; p=MFwwDQYJ...AwEAAQ=="

If you change it to "g=*" (match all users, which is the default), you should get a result.

I've done this.  Just waiting for DNS to propagate.

Apologies to anyone else listening for the signal-to-noise ratio here, btw. Moving this conversation mid-flow to a different list didn't seem like it would make sense.

-Dan

--

"The first annual 5th of July party...have you been invited?"
"It's a Jack Party."
"Okay, so Long Island's been invited."

--Cali and Gushi, 6/23/02


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>