As far as I know OpenSRS DNS refuses DKIM keys longer  than 1024 to this
day despite my and I expect many others asking and asking and asking ...
If they've changed this do educate me. As they haven't

Christian
Brandon Long via mailop writes:

> On Thu, Jan 7, 2021 at 5:57 AM Dan Malm via mailop <mailop@mailop.org>
> wrote:
>
>> On 2021-01-06 20:10, Tim Bray via mailop wrote:
>> > My thoughts are `time for mail operators to pull their fingers out and
>> > upgrade`.   Because we are really saying `upgrade to something less than
>> > 8 years old`
>>
>> I fully agree. The state of TLS in the mail world is quite sad and it
>> would be great if we could all agree on actually keeping our systems up
>> to date... The problem is that it's not a system that I or you control
>> that need updating, it's someone else's. And our business model is not
>> "internet compliance police" it's providing a service that (among other
>> things...) delivers emails that our customers want to send, and as long
>> as the big giants in the industry are not the ones initiating this type
>> of change, the reaction from customers whose mail we can't deliver will
>> usually be one of "I don't care about security", "I'm just sending a
>> picture of my cat so security doesn't matter for this particular mail"
>> or "but (gmail|hotmail|yahoo) could send mails to this address perfectly
>> fine so why can't you?"
>>
>> The day gmail stops delivering to servers with legacy SSL I'll be happy
>> to do the same.
>>
>
> By the definition of SSL3 is legacy, that's been true for years.
>
> I don't know enough about the different cyphers to know if we
> still allow stuff that this change prohibits, though.
>
> We do still allow administrators to create 1024 bit DKIM keys because
> when we tried to change it, a large number of admins and the web-based DNS
> admin consoles they used couldn't handle the larger keys.  That was years
> ago,
> though, so I don't know what the current status of those consoles is.
>
> We should have updated our services to handle keys and rotations better
> like O365 does, but
> that still hasn't happened yet.
>
> Brandon
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Christian de Larrinaga 
https://firsthand.net
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to