[dkim-milter-discuss] Adding DNSSEC to dkim-filter

Wed, 22 Oct 2008 12:14:17 -0700 

Thanks to John Dickinson, a patch has been provided which adds support for 
DNSSEC to libdkim.  This will appear in v2.8.0 of the filter which I'm 
hoping to put into public beta as early as next week.

This will necessarily create a couple of new configuration options since 
the DNSSEC data may have an impact in terms of local policy.

I was thinking about adding an authentication method to the 
Authentication-Results: draft called something like "dkim-sec" 
representing the DKIM result if the key/policy records were secured with 
DNSSEC, but that draft is on its way to publication so I don't want to 
make any changes to it now.  So until it's appropriate to publish an 
extension to it, we're left with adding a parenthetical comment to the 
Authentication-Results: header field which reflects the DNSSEC result, or 
changing the actual result based on key/policy security (or both).  I plan 
to do the comments regardless, but I'm thinking about how to do the other.

The result for any DNSSEC-aware query basically comes down to one of these 
four:

        - evaluation not completed ("unknown")
        - signer not using DNSSEC ("insecure")
        - signer using DNSSEC, successful ("secure")
        - signer using DNSSEC, unsuccessful ("bogus")

Therefore, I believe we need four new configuration settings.  In 
particular (with invented names so far):

InsecureKey
        - specifies what to do with insecure keys
        - possible values:
                - ignore (no action; default)
                - neutral (degrade a "pass" to "neutral")
                - fail (degrade a "pass" to "fail")

BogusKey
        - specifies what to do with bogus keys
        - possible values:
                - ignore
                - neutral
                - fail (default)

InsecureADSP
        - specifies what to do with insecure keys
        - possible values:
                - apply (default)
                - ignore

BogusADSP
        - specifies what to do with bogus ADSP records
        - possible values:
                - apply
                - ignore (default)

Opinions welcome!

-MSK

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Reply via email to