As far as I know OpenSRS DNS refuses DKIM keys longer than 1024 to this day despite my and I expect many others asking and asking and asking ...
If they've changed this do educate me. As they haven't Christian Brandon Long via mailop writes: > On Thu, Jan 7, 2021 at 5:57 AM Dan Malm via mailop <mailop@mailop.org> > wrote: > >> On 2021-01-06 20:10, Tim Bray via mailop wrote: >> > My thoughts are `time for mail operators to pull their fingers out and >> > upgrade`. Because we are really saying `upgrade to something less than >> > 8 years old` >> >> I fully agree. The state of TLS in the mail world is quite sad and it >> would be great if we could all agree on actually keeping our systems up >> to date... The problem is that it's not a system that I or you control >> that need updating, it's someone else's. And our business model is not >> "internet compliance police" it's providing a service that (among other >> things...) delivers emails that our customers want to send, and as long >> as the big giants in the industry are not the ones initiating this type >> of change, the reaction from customers whose mail we can't deliver will >> usually be one of "I don't care about security", "I'm just sending a >> picture of my cat so security doesn't matter for this particular mail" >> or "but (gmail|hotmail|yahoo) could send mails to this address perfectly >> fine so why can't you?" >> >> The day gmail stops delivering to servers with legacy SSL I'll be happy >> to do the same. >> > > By the definition of SSL3 is legacy, that's been true for years. > > I don't know enough about the different cyphers to know if we > still allow stuff that this change prohibits, though. > > We do still allow administrators to create 1024 bit DKIM keys because > when we tried to change it, a large number of admins and the web-based DNS > admin consoles they used couldn't handle the larger keys. That was years > ago, > though, so I don't know what the current status of those consoles is. > > We should have updated our services to handle keys and rotations better > like O365 does, but > that still hasn't happened yet. > > Brandon > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Christian de Larrinaga https://firsthand.net _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop