dkim 2048 bits - migration and zone file generation changes

* Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.) * Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings. * When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec. * Added a changelog entry.
2026-03-18 18:07:22 +01:00 · 2015-06-25 13:02:40 +00:00
parent ef6a17d4a6
commit 299a2315c1
4 changed files with 31 additions and 10 deletions
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -35,12 +35,17 @@ RequireSafeKeys         false
 EOF
 fi

-# Create a new DKIM key. This creates
-# mail.private and mail.txt in $STORAGE_ROOT/mail/dkim. The former
-# is the actual private key and the latter is the suggested DNS TXT
-# entry which we'll want to include in our DNS setup.
+# Create a new DKIM key. This creates mail.private and mail.txt
+# in $STORAGE_ROOT/mail/dkim. The former is the private key and
+# the latter is the suggested DNS TXT entry which we'll include
+# in our DNS setup. Note tha the files are named after the
+# 'selector' of the key, which we can change later on to support
+# key rotation.
+#
+# A 1024-bit key is seen as a minimum standard by several providers
+# such as Google. But they and others use a 2048 bit key, so we'll
+# do the same. Keys beyond 2048 bits may exceed DNS record limits.
 if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
-	# Should we specify -h rsa-sha256?
 	opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
 fi