5

I set up Opendkim milter to work with postfix on my machine. Now email is signed & verified correctly i.e. email source code shows DKIM-Signature header.

TXT record on the authorative dns is set up like this:

┌───┐
│ # │ root > server > ~
└─┬─┘
  └─> delv -t txt dkim-domain._domainkey.domain.eu
...
...
dkim-domain._domainkey.domain.eu. 1780 IN TXT   "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8drA4hH8gJaVpLaHhtQonhpOeanMo/oPmrAVehP3lBYAjsoxifCIclLqJo7kk0maelqu9SIN9ttQ0boCzEiQBMO1" "c1P+Sj/PxphZB71c8VNhqMJ32VG6Ky3ZD4Tds39Vye/wsWdi+842MUT3Z2dJnxS2AAG4pSkjaytFPCs0J94OUQC0tDErbnsMZh+gg+7IsYgND8FR/cRDzpXjD0qFJk4Cnc1q27WorPAGAiRsRfLt9u" "gkYgQRwapnofmKJ3hk/L8096YR7gan60L4+RGojsx5ppTdIEhYasyK9MokefmVeNyGwVXTJchqG8vhcg9uGjGy9mPiPg4B2TQgEBPwyQIDAQAB"
...
...

So on first glance everything is okay but when I run the diagnostics on my machine it says this:

┌───┐
│ # │ root > server > ~
└─┬─┘
  └─> opendkim-testkey -d domain.eu -s dkim-domain -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'dkim-pistam._domainkey.pistam.eu'
opendkim-testkey: key not secure
opendkim-testkey: key OK

Note the key not secure answer. I read from this answer that warning exists because DNSSEC is not enabled. But DNSSEC for my domain domain.eu is enabled. according to the DNSViz.


ADD:

It may be that the topic I linked to earlier is missleading, because I later read an answer here, suggesting that warning is due to too permissive privileges regarding the key pair! I set user rights on the key pair and their folder like this:

┌───┐
│ # │ root > server > ~
└─┬─┘
  └─> ls -l /etc/opendkim/keys/
total 8
-rw------- 1 opendkim opendkim 1675 Dec 30 08:45 dkim-rsa-private.key
-rw------- 1 opendkim opendkim  451 Dec 30 08:46 dkim-rsa-public.key

┌───┐
│ # │ root > server > ~
└─┬─┘
  └─> ls -ld /etc/opendkim/keys/
drwx------ 2 opendkim opendkim 4096 Jan  1 07:18 /etc/opendkim/keys/

So it should be secure... But it is not.

71GA
  • 313
  • 3
  • 8
  • 1
    Apparently the same question was asked [here before](https://serverfault.com/q/834576). I’ve tried answering it there. – glts Jan 04 '21 at 15:52
  • @glts I see. In my case `dig` command shows the `ad` flag so I must use `TrustAnchorFile /path/to/root.key` parameter inside `/etc/opendkim.conf`. Because I am using [Unbound](https://www.nlnetlabs.nl/projects/unbound/about/) resolver I should probably folow [this](https://www.icann.org/dns-resolvers-checking-current-trust-anchors), [this](https://www.icann.org/dns-resolvers-checking-current-trust-anchors#Unbound) and [this](https://www.icann.org/dns-resolvers-updating-latest-trust-anchor#Unbound)... What do you think? Will this also fix `opendkim` warning? – 71GA Jan 04 '21 at 18:36
  • 1
    I don't know exactly why it doesn't work for you. I also run Unbound locally. In /etc/opendkim.conf I have two relevant settings, `TrustAnchorFile /usr/share/dns/root.key` and `Nameservers 127.0.0.1` (on Ubuntu 20.04). In any case I do get `key secure` for my domain ... – glts Jan 04 '21 at 18:42
  • @glts Have you tweaked any settings inside `/etc/unbound/unbound.conf`? I have not. – 71GA Jan 04 '21 at 18:53
  • 1
    No, just `apt install unbound` I think – glts Jan 04 '21 at 19:00
  • In my case Unbound has a root key here `/var/lib/unbound/root.key`. Should this same key be used in `opendkim`? If you maybe know? – 71GA Jan 04 '21 at 19:37
  • 1
    I don't know. In Debian/Ubuntu the trust anchor file is provided by a dedicated package `dns-root-data` ... – glts Jan 04 '21 at 19:53
  • This package is installed alongside packages that I can list using `apt-cache rdepends dns-root-data`. This lists packages e.g. `unbound`, `opendkim`, `bind9`... So `dns-root-data` is installed on my system and it provides files that I can list with `dpkg-query -L dns-root-data`. Among files is a *root zone's trust anchor* `/usr/share/dns/root.key`. Now I also updated the unbound's *root zone's trust anchor* by using `unbound-anchor` and it updated the `/var/lib/unbound/root.key`. I used `vimdiff /var/lib/unbound/root.key /usr/share/dns/root.key` and confirm that keys are similar. – 71GA Jan 04 '21 at 20:17
  • But probably I have to use `/usr/share/dns/root.key` inside `opendkim` as it can read this file because of the file permissions. – 71GA Jan 04 '21 at 20:19
  • Only thing I had to add was the `TrustAnchorFile /usr/share/dns/root.key` inside `/etc/opendkim.conf`. Now warning is gone. If you can post an answer here I will accept it. – 71GA Jan 04 '21 at 20:51

1 Answers1

5

As also explained in my other answer, key not secure in this context indicates that OpenDKIM was not able to authenticate the key using DNSSEC.

You have to ensure that OpenDKIM can make use of DNSSEC. For example, on Debian and Ubuntu, the default /etc/opendkim.conf file contains the following setting, which enables DNSSEC capabilities:

TrustAnchorFile /usr/share/dns/root.key
glts
  • 681
  • 4
  • 14