This does require a bit of configuration.
Opendkim uses unbound for DNSSEC support.
You have to:
- Install the unbound package (not just the library, which is already pulled in as an opendkim dependency)
- Configure the DNSSEC trust anchor for unbound ( either in /etc/unbound/unbound.conf or by adding a configuration snippet to /etc/unbound/unbound.conf.d – the latter makes it much less likely you’ll have to resolve conflicts in the configuration file if the default file is changed on later package upgrades)
- Update /etc/opendkim.conf and add:
Once that’s done, restart opendkim and your DKIM key queries are DNSSEC protected (you can verify this in your mail logs since opendkim annotates unprotected keys when it logs).
Note: This should also apply to Ubuntu 14.04, 14.10, and 15.04.
Update: In Wheezy (and Squeeze, at least the version in backports, I didn’t check the release version) and Ubuntu 10.04 (similarly with backports) this was possible too. The opendkim.conf parameter was called UnboundConfigFile. You may have to update your local configuration to use the new name when you upgrade.