On Fri, Nov 28, 2014 at 05:01:56PM -0500, Scott Kitterman wrote: > I did investigate this and there is a valid reason for this. There are DNS > service providers that limit TXT records to a single 255 character string > (even though DNS has no such limit). 2048 bit key records won't fit.
I could understand limiting to 512 byte for the whole packet. There should be enough space for 2048 bit. Larger than 512 byte _should_ work, but I know it breaks all over the place. That certain other software is broken is a stupid excuse for not having a sane default. Please don't let them hold back the rest of us. > DKIM is designed to give some minimal level of assurance the message hasn't > been modified, as such, it's not likely to be a primary target of someone > seeking to factor 1024 bit keys (the same is not true of smaller keys which > were successfully factored in the wild a few years ago). > > The generally recommended best practice for DKIM keys is to rotate them > regularly to mitigate risks like this. There are places that do recommended rotating it, but not all of them do. But they should be rotated if you use larger keys. I also don't understand why you think 512 would be bad but 1024 not. You just need a larger budget. Kurt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
