DKIM (DomainKeys Identified Mail) Modernization

When DKIM was originally specified in 2007, 512 bit rsa-sha1 seemed like a great idea (well not a great idea, but not everyone could do rsa-sha256 yet, so rsa-sha1 was let live in the specification to ease transition from Yahoo!’s DomainKeys.  Fast forward to 2012 and suddenly 512 bits wasn’t such a great idea.  The most recent DKIM update the year before had not changed the original 2007 recommendations, but the operational community reacted and 768 bits became a de-facto minimum key length and 1024 bits or more preferred.  All DKIM related packages in Debian were updated to match these more secure requirements.

Roughly a year ago, the IETF (Internet Engineering Task Force) commissioned a new working group, DCRUP (DKIM Crupto UPdate) to look at updating DKIM “to handle more modern cryptographic algorithms and key sizes”.  This has evolved into a combination of throwing out the old and bringing in the new in two separate documents.

The throwing out the old part of the work has been published as RFC 8301.  It removes rsa-sha1 from DKIM and raises the minimum RSA key size to 1024 bits and recommends 2048 bits (before commenting about how horrible 1024 bits is, please read the RFC, it’s there for a reason).

Bringing in the new is still a work in progress, but nearly finished.  It’s being developed in draft-ietf-dcrup-dkim-crypto.  It’s been through working group last call once, and I don’t expect much more change before it’s ready for wider IETF review.  The new is a new signature algorithm, ed25519-sha256.  The ed25519 algorithm is defined in RFC 8032.  It seems to be getting traction in a number of applications.

There are two implementations, that I know of.  For exim, DKIM with ed25519-sha256 support has been committed to their VCS and will (I assume) be in the next feature release.  The other is based on the Python DKIM module dkimpy.  I’ve also written a milter that uses it with Postfix and Sendmail.  We’ve tested against each other and the two implementations are interoperable in our testing.

This is good news for the robustness of ed25519 since Exim is using gnu-tls (as I understand it) and I used libsodium as wrapped by PyNaCl.  Being able to test two dissimilar implementations before the specification is carved in stone has been a big help.  We discovered a few areas that were underspecified and some interesting differences in the different ed25519 variants defined in RFC 8032 (strangely both implementers used the same variant that was not the one in the draft at the time, it’s all fixed now).  I doubt it will surprise anyone that this was two FOSS implementations, proprietary implementers are (other than complaining about having to get off sha1) not heard from.

If you use postfix or sendmail on Debian Stable (Stretch)/Testing/Unstable, you can install dkimpy-milter and try it out.  For Stable, you’ll have to use backports for both dkimpy-milter and some dependencies.

In order to make it easy to try out, I used configuration names and definitions from OpenDKIM (since I think that’s what most sendmail/postfix people use).  If you only used configuration options that are supported by dkimpy-milter, you can just copy over your conf file and start right away (if you used something unsupported, you’ll get an error when you start the service).  In order to use ed25519 signatures, you will need to create an ed25519 key and publish it at a new selector.  You can use the dknewkey script provided by python-dkim (which will be pulled in as a dependency) to generate the key.

As far as I and a few others who have tested this can tell, dkimpy-milter works for the scope of features I’ve taken on so far.  If you try it and have problems, please file bugs.  Similarly, if you options from OpenDKIM that aren’t implemented, please file wishlist bugs so I know what is useful for other people.

So far, I’ve done what was most immediately useful for me.  For my usage, I’ve replaced OpenDKIM and am running it in production on Stretch without issue.  One caution for sysv init users: I don’t use it, so even though I’ve provided a sysv init script, it’s only very, very lightly tested.  If you use sysv init and have problems, please file bugs and I’ll try and fix it (patches would be great).

One final note: please don’t complain about it being on Launchpad and not GitHub.  Unlike GitHub, Launchpad is 100% free software and even though I have issues with the policies for contribution, I still think that counts.


0 Responses to “DKIM (DomainKeys Identified Mail) Modernization”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: