Debian – dkim-testkey return keys do not match after key’s creation

debiandkim

as in the title I am struggling with the creation of the dkim key.
For key creation I use these commands

openssl genrsa -out s1024.private 1024
openssl rsa -in s1024.private -out s1024.public -pubout -outform PEM

In this way I got the public and private keys.
After that I put the private key in /etc/dkim/ dir
and I make the test about the key in this way

dkim-testkey -d hostname -s s1024 -k /etc/dkim/s1024.private

the parameters means

-d is related to the domain
-s is the selector is the config file in this case is s1024
-k is the key to match

and the result is this one

dkim-testkey: keys do not match

How is possibile?
I have done the same procedure on another 60 different servers and everything was fine.
And of course the other 60 servers are cloned from the same debian image.
I also tried to uninstall and reinstall the dkim package but still nothing.

So any idea about why?

Best Answer

My reading of the man page indicates the verifier will use DNS to lookup the public key. Add a new selector for your new key to DNS. Do not reuse your existing selector for the new key. If you don't need ongoing verifiability, you can schedule deletion of the current selector at a future date (at least a week or so after the switch).

Don't start using the new key until it is published and the verifier tool reports you have correctly setup the DNS records. Unfortunately, a high percentage of the DKIM email I receive is missing the support DNS data.

See my article on Implementing DKIM with Exim for detail on selector management.

Related Solutions

Exim DKIM Error: DKIM: signing failed (RC -101) no matter what private key I try

I've solved this issue with exim and dkim by setting the absolute path to my private key (thanks to @cjc):

The final DKIM configuration section goes like this:

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp

  dkim_domain = my_domain.com
  dkim_selector = dkim
  dkim_private_key = /absolute/path/to/my/private.key
  dkim_canon = relaxed

Thats all! Then just restarted Exim

Should DKIM selector names be unguessable

I reviewed the document and found the author(s) don't understand DNS propogation of new entries. When updating old entries there are configurable cache times that can be several days. However, new entries need to be fetched from the authoritative name servers before the can be cached.

If keys are being rotated by the suggested process of rotating keys behind three CNAMEs, the there may be significant delays while cached entries are updated. This can be mitigated by dropping the TTL on record to be updated in the period before it is updated. The CNAME rotations may also be problematic in the case an emergency key rotation is required.

Randomizing the key names does provide some small measure of protection against the public key being retrieved in advance of use. Once the key is in use, I would assume that it could have been harvested for the purpose of generating an alternate signing key.

Best Answer

Related Solutions

Exim DKIM Error: DKIM: signing failed (RC -101) no matter what private key I try

Should DKIM selector names be unguessable

Related Topic