Issue is fixed. It was a record formatting issue in BIND that clipped the record (before the one that only showed v=DKIM1)
I route several domains thru this box. Is there any issue with using the same private key and published public key for each domain. Formatting the DNS record is a PITA. Sorry for the flurry of questions. Thanks for the heads up to chase down DNS. Eric > On Mar 31, 2021, at 4:22 PM, Eric Germann <ekgerm...@semperen.com> wrote: > > Fixed that now. I was working on wrapping in the DNS to get it to load. > > Eric > > >> On Mar 31, 2021, at 3:11 PM, Dossy Shiobara <do...@panoptic.com >> <mailto:do...@panoptic.com>> wrote: >> >> >> >> On 3/31/21 12:57 PM, Eric Germann wrote: >>> [...] >>> In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain >>> >>> [...] >>> >>> My public key is published in the DNS for XXXX.com <http://xxxx.com/>. >>> I’ve verified it’s there by doing a "dig @nameserver >>> dkim._domainkey.XXXX.com <http://domainkey.xxxx.com/> +short". It matches >>> what is in the DKIM generator. >> >> You tried to obscure the domain name but you missed redacting it one place. >> If that domain name is the actual one you're working with, then your DNS >> entry is incomplete: >> >> ``` >> $ dig dkim._domainkey.semperen.com <http://domainkey.semperen.com/> txt >> +short >> "v=DKIM1" >> ``` >> >> Compare that to the published DKIM key for my domain, panoptic.com >> <http://panoptic.com/>: >> >> ``` >> $ dig default._domainkey.panoptic.com <http://domainkey.panoptic.com/> txt >> +short >> "v=DKIM1\; k=rsa\; >> p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmjlAjovTKKp1Nx74U4Atv4QEalKWvG0w6AwLLuecBLSwes2wi+C6ov9+LwaOPFRkM" >> >> "yzpzRQkeAz26LsB3otCVpraSqsaNTkJkOi7BNrMeefQmMV7VETy9Q9bu9y62DYsnsQTJbyGigJzPZUOxRgFobZcNFO3ysIEbwHgau8dOkZMqBGL4dq2uHJTJsHmcdiE" >> >> "y8X2DsHoRpg5M26YPuvsLRYS+7qzSAPaXzq42zNScL5a6KCqu2t77HFz0tw6kSL3NbzrErAjsXZR828Wky/BeguwgK1m8CM7VIcpc0vHoYscbl2glOw6PJIhFPkMKSa" >> "50F0L9kMwGyfqVTUaE+KcEQIDAQAB" >> ``` >> >> Not sure if the lack of public key published in your DNS entry would result >> in a "bad RSA signature" failure on validation, but there's no way to >> validate the signature without your public key published properly. >> >> HTH, HAND, >> >> Dossy >> >> -- >> Dossy Shiobara | "He realized the fastest way to change >> do...@panoptic.com <mailto:do...@panoptic.com> | is to laugh at your >> own folly -- then you >> http://panoptic.com/ <http://panoptic.com/> | can let go and quickly >> move on." (p. 70) >> * WordPress * jQuery * MySQL * Security * Business Continuity * >
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user