Subject: Re: DNS Admin writeup for DKIM use (was Re: IETF approves DKIM) From: Richard Rognlie Date: Wed, 28 Feb 2007 19:39:31 -0500 To: Dave Crocker On Wed, Feb 28, 2007 at 04:27:02PM -0800, Dave Crocker wrote: > > YES!! > > > > Thanks. > > > > And by the way, "a fair number"? I didn't know there were that many DKIM > > sites, yet. > > > > In any event, how would you like to proceed? >From the dkim-milter (0.5.2 available on sourceforge. 0.6.0 coming soon) INSTALL guide... you need to generate a signing key for each domain that you will be signing for. there is gentxt.csh which will do the following... generate a private key file (PEM format) extract the public key from it and create a DNS entry suitable for pasting in a bind zone file e.g. /home/rrognlie/cvs/filters/dkim-milter-0.6.0.dev/dkim-filter/gentxt.csh foobar foo.com foobar._domainkey IN TXT "v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLxFg8I9nnK+YwPLdLCNEkOV3opb6X5qb9/CW32Ik1mFfB0B+sbETlTUjnBzeJ7GdYw0Td4bvzxZp5bX41MkdFUDiZdj46oNLmf5Fqo2/yCZC3+X+jDAHlP7Xfp8YHgCa3/Qj358oEPytTblXnBxgshFS/4hsSmgOWNUjZ32zkxwIDAQAB" ; ----- DKIM foobar for foo.com In this case, it generated foobar.private and foobar.public, and printed out the bind-ism the alternative is to gen your own key pair using openssl, and then manually create the DNS entry. (i) % openssl genrsa -out rsa.private 1024 (ii) % openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM (iii) Add a TXT DNS record containing the base64 encoding of your public key, which is everything between the BEGIN and END lines in the rsa.public file generated above, with spaces and newlines removed. It should be in this form: "g=*; k=rsa; t=y; p=MFwwDQYJ...AwEAAQ==" ...using, of course, your own public key's base64 data. The name of the TXT record should be SELECTOR._domainkey.example.com (where "SELECTOR" is the name you chose and "example.com" is your domain name). You might want to set a short TTL on this record. Reload your nameserver so that the record gets published. For a translation of the parameter and value pairs shown here, see the draft spec; basically this just announces an RSA public key and also declares that your site is using this key in test mode so nobody should take any real action based on success or failure of the use of this key to verify a message. And finally, in the dkim milter itself, you tell it that you're signing for domain foo.com, and using the "selector" foobar. dkim-milter -h -l -p SOCKETSPEC -d foo.com -k foobar.private -s foobar > > d/ > > > > > > Richard Rognlie wrote: >> > >Still looking for help? >> > > >> > >I've set up a fair number of DKIM deployments >> > > >> > >and have done the "build the key pair.. and get it in DNS" two step a few >> > >times. >> > > >> > >On Fri, Feb 23, 2007 at 01:23:08PM -0800, Dave Crocker wrote: >>> > >>By the way, folks, I'm looking for someone to write a 'how to' guide, for >>> > >>administering popular DNS tools, like bind. I don't know nearly enough >>> > >>about the software to write it myself, but I believe DNS admin is the >>> > >>biggest barrier for large-scale adoption of DKIM. >>> > >> >>> > >>For anyone with the requisite technical knowledge, but who is not >>> > >>inclined towards spiffy writing, I'm glad to collaborate. You do the >>> > >>hard part and I'll do the wordsmithing... >>> > >> >>> > >>d/ >>> > >> >>> > >>-- >>> > >> >>> > >> Dave Crocker >>> > >> Brandenburg InternetWorking >>> > >> bbiw.net >>> > >> >> > > > > > > -- > > > > Dave Crocker > > Brandenburg InternetWorking > > bbiw.net -- / \__ | Richard Rognlie / Sendmail Ninja / Gamerz.NET Lackey \__/ \ | http://www.gamerz.net/~rrognlie / \__/ | Creator of pbmserv@gamerz.net \__/ | Helping reduce world productivity since 1994