[dkim-ops] blackops.org fixed

Dan Mahoney, System Admin danm at prime.gushi.org
Fri Jun 9 02:08:19 PDT 2006 

On Thu, 8 Jun 2006, Murray S. Kucherawy wrote:

> On Thu, 8 Jun 2006, Dan Mahoney, System Admin wrote:
>> Apologies for the horrid wrapping, but I'm not seeing the right header 
>> here:
>> 
>> There should still be an Authentication-Results header if it's failing, 
>> yes?
>
> As coded right now, that header is added on failed verifications only if it 
> got as far as deciding if the signature was both present and able to be 
> verified.  In this case the latter condition was not met so no header was 
> added.
>
> In particular, your published key record contains the tag "g=" with no value. 
> According to base-02 (and in fact I think all of the DKIM drafts), that 
> matches no users, so the key was used by an unauthorized user and thus the 
> signature was to be ignored.  dkim-filter therefore acted like there was no 
> signature present.

AAH!  Shite!

This is DIFFERENT from what I've seen in some of the domainkeys drafts, 
which state:

g = granularity of the key (the default of '' = all domain, which
         means that any left-hand-side of the @ is valid with this
         DomainKey)

         (Though not yet defined, one possible interpretation for
         non-empty values is that they could represent a Base64 SHA1
         fingerprint of the email address used to identify the sending
         domain. This, though, does not handle the notion of tagged
         addresses as well as one would like.)

Does this necessarily mean I should have to use a different key for dkim 
and domainkeys?  Does the domainkeys spec understand *?

Oh, I see where I got it.  The INSTALL file in the dkim-milter tarball:

     (iii) Add a TXT DNS record containing the base64 encoding of your public
           key, which is everything between the BEGIN and END lines in the
           rsa.public file generated above, with spaces and newlines removed.
           It should be in this form:

           "g=; k=rsa; t=y; p=MFwwDQYJ...AwEAAQ=="

> If you change it to "g=*" (match all users, which is the default), you should 
> get a result.

I've done this.  Just waiting for DNS to propagate.

Apologies to anyone else listening for the signal-to-noise ratio here, 
btw.  Moving this conversation mid-flow to a different list didn't seem 
like it would make sense.

-Dan

--

"The first annual 5th of July party...have you been invited?"
"It's a Jack Party."
"Okay, so Long Island's been invited."

--Cali and Gushi, 6/23/02


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

More information about the dkim-ops mailing list