Difference between revisions of "BIND: Setup DMKI"

From OnnoWiki
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 3: Line 3:
 
First, your create a key pair with openssl:
 
First, your create a key pair with openssl:
  
openssl genrsa -out private.key 1024
+
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
+
openssl rsa -in private.key -pubout -out public.key
  
 
Your public key looks now like:
 
Your public key looks now like:
  
 
  -----BEGIN PUBLIC KEY-----
 
  -----BEGIN PUBLIC KEY-----
  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEI2JbDzjyNCCxXVWqLdOD+EpS
+
  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpM
  ZPFEtHG7bmYSQaQjDHP/DQnQ3adkcOKDyEZKHrZTpLFOfd063uUTw4SlloLpziGL
+
  PJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n
  PD44v0vLZI0TXjpdsvSXl0vV6i4nxBnqhvCOG3TrMIz8iF8e8cQL0dnxeaQZyRvx
+
  3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb
  sbkccjUxLKw1YomX0QIDAQAB
+
  5MIBp3vDiipAJNTO1wIDAQAB
 
  -----END PUBLIC KEY-----
 
  -----END PUBLIC KEY-----
 +
 +
  
 
Now you convert this output to one single line:
 
Now you convert this output to one single line:
  
  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEI2JbDzjyNCCxXVWqLdOD+EpSZPFEtHG7bmYSQaQjDHP/DQnQ3adkcOKDyEZKHrZTpLFOfd063uUTw4SlloLpziGLPD44v0vLZI0TXjpdsvSXl0vV6i4nxBnqhvCOG3TrMIz8iF8e8cQL0dnxeaQZyRvxsbkccjUxLKw1YomX0QIDAQAB
+
 
 +
  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpMPJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb5MIBp3vDiipAJNTO1wIDAQAB
 +
 
  
 
This line you will use as public key in your DNS record.
 
This line you will use as public key in your DNS record.
Line 23: Line 27:
 
Next, add two txt records like
 
Next, add two txt records like
  
  _domainkey.domain.com          IN TXT o=!;r=postmaster@domain.com
+
  _domainkey.domain.com          IN TXT o=~;r=postmaster@domain.com
 
  selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>
 
  selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>
  

Latest revision as of 18:09, 28 April 2019

Adding a DKIM record to your DNS is quite simple.

First, your create a key pair with openssl:

openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key

Your public key looks now like:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpM
PJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n
3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb
5MIBp3vDiipAJNTO1wIDAQAB
-----END PUBLIC KEY-----


Now you convert this output to one single line:


MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfA14QIpOjnPT8sN/uLc8aoUpMPJQS47UYyn0+VhcTACZuxEMxCKBatAdOMFcNxlqPsXxjxPH1o/A9fOZJ8Uf+Ff2n3ODOhk9VYU45at9b1GyMtoNR5kSRLZX+V7FGlOEcoDiG0Ixmb2c6NBV+e221IWyb5MIBp3vDiipAJNTO1wIDAQAB


This line you will use as public key in your DNS record.

Next, add two txt records like

_domainkey.domain.com          IN TXT o=~;r=postmaster@domain.com
selector._domainkey.domain.com IN TXT v=DKIM1;k=rsa;p=<public key>

Which means:

   o=~ the server signs some mail
   o=- all mail is signed, but unsigned mail should be accepted
   o=! all mail is signed, do not accept unsigned mail
   t=y I’m still testing
   v=DKIM1 we use DKIM version 1
   k=rsa it is a RSA key
   r=<x@xx> report problems to this email address
   p=<public key> this is the generated public key

Do not use keys with length other than 1024. 512 is too short and 2048 will give you problems with most DNS servers.