[Ietf-dkim] DKIM issues (tag "v=DKIM1", tag "p=")

Tue, 16 May 2023 07:01:00 -0700 

Hi,
I would like to ask how you feel about the possibility of changing the conditions for DKIM keys stored in DNS. Best in some future RFC release about DKIM itself. I have a practical experience during review and cleaning of thousands of domain, which is exhausting. And discussion about that keys also with 3rd party is sometimes hard. In situation that you would like to discuss that, I can provide kind of examples. 1) At this moment, the use of the tag "v=DKIM1;" is only RECOMMENDED and if this tag is used, it must be the first. Unlike, for example, SPF and DMARC, this is not a REQUIRED (MANDATORY) record. In case of an attempt to identify DKIM records, then there is a situation where it is not possible to determine which records are DKIM keys. Often, these keys are in other places where they allow to create CNAME to the expected location of the selector. These locations may be application dependent or may be with third parties configuration. From my perspective, MANDATORY record "v=DKIM1;" could help to identify DKIM keys much easily. 2) Is it possible to specify precisely under which conditions the DKIM key is valid? Some third party records contain only an empty record "", others contain only revoked key like "p=" or it is a reference to a non-existent record. Unfortunately, RFCs do not provide unambiguous information on under which conditions this record is invalid. From my perspective, use of non-existing records or empty strings can draw that key useless, but rules specifying that in RFC or BCP will be welcome. 3) The "p=key" information containing the key material information encoded by Base64 should occur in the key exactly once. I did not find a condition in RFC for the existence of this record. I found only information on implementation behavior, when "p=", i.e. an empty key material, is considered revoked. However, it is not unambiguous whether this approach is acceptable. Also specification of that rules can make my life much easier. 

Regards

Jan

--
-- --- ----- -
Jan Dušátko

Tracker number: +420 602 427 840
e-mail:         j...@dusatko.org
GPG Signature:  https://keys.dusatko.org/E535B585.asc
GPG Encrypt:    https://keys.dusatko.org/B76A1587.asc

_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim






















					Reply via email to