ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] need for clarification

2015-01-27 13:26:40

Steve Atkins:

From operational perspective I experience no drawback using 4k RSA
keys for DKIM.

How do you know?

Not for sure. There was a feature to request reports in opendkim. Some people
used that and I got mostly no unexpected reports. Today DMARC reports  
are a good source too.
I have some smaller "send only" domains. The DMARC reports also show  
mostly positive results.

So there's no reason to use anything bigger than 2048 bits for DKIM,
I don't believe. I'd be far more concerned about other attacks on the
system, or even on the RSA algorithm, than I would be about people
brute-forcing 2048 bit keys this decade.
That's the point. The RFC don't make that clear enough.
It leave one side open.

How big is your DNS TXT record?
# dig J4bWGJQcBmxMQ._domainkey.andreasschulze.de. txt
;; Truncated, retrying in TCP mode.
...
;; MSG SIZE  rcvd: 851

Andreas

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html