Enabling DNSSEC Support For OpenDKIM

If you are using DNSSEC you can now use it to verify DKIM keys with opendkim.

This does require a bit of configuration.

Opendkim uses unbound for DNSSEC support.

You have to:

  • Install the unbound package (not just the library, which is already pulled in as an opendkim dependency)
  • Configure the DNSSEC trust anchor for unbound ( either in /etc/unbound/unbound.conf or by adding a configuration snippet to /etc/unbound/unbound.conf.d – the latter makes it much less likely you’ll have to resolve conflicts in the configuration file if the default file is changed on later package upgrades)
  • Update /etc/opendkim.conf and add:

ResolverConfiguration     /etc/unbound/unbound.conf

Once that’s done, restart opendkim and your DKIM key queries are DNSSEC protected (you can verify this in your mail logs since opendkim annotates unprotected keys when it logs).

Note:  This should also apply to Ubuntu 14.04, 14.10, and 15.04.

Update: In Wheezy (and Squeeze, at least the version in backports, I didn’t check the release version) and Ubuntu 10.04 (similarly with backports) this was possible too.  The opendkim.conf parameter was called UnboundConfigFile.  You may have to update your local configuration to use the new name when you upgrade.


5 Responses to “Enabling DNSSEC Support For OpenDKIM”

  1. 1 Elessar April 27, 2015 at 11:03

    Is that supposed to be a new feature? I have been using OpenDKIM as a milter for one year or two, and from the beginning I was able to see whether or not the key was protected by DNSSEC in the Authentication-Results header it leave: if it is not protected, it adds “insecure key”. Also, in my case that worked, and still does, with a local Bind and no Unbound.

  2. 3 Elessar April 28, 2015 at 04:16

    Right, but the thing is, I did not configure anything for that. My local resolver, BIND, does DNSSEC and indicated when the result is authenticated (flag AD, authentic data): I guess OpenDKIM is able to use that…

    • 4 skitterman April 30, 2015 at 11:51

      Interesting. My reading of the documentation indicated otherwise, but I’ll take your actual experience over my reading of the documentation. Do you have dns-root-data installed? There’s been some additional discussion in the related bug report and I’m going to go back and revisit this in the next upload.

      • 5 Elessar May 5, 2015 at 03:40

        Well, my local BIND server knows the root public keys, yes. OpenDKIM does not, it seems it simply trusts when BIND reports.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: