* Viktor Dukhovni via Postfix-users <postfix-users@postfix.org>: > On Wed, Mar 08, 2023 at 07:42:56AM +0100, Patrick Ben Koetter via > Postfix-users wrote: > > > - The key material is 4096 Bit and it was brought to my attention there's a > > bug / missing functionality (?) in opendmarc which results in the program > > being unable to handle keys at sizes larger than 2024 Bit. > > I assume that's 2048-bit, not 2024. Further:
ACK. Add coffee and it becomes 2048-bit. > - NEVER use 4096-bit RSA. If your security requirements merit a > 4096-bit RSA key, don't use RSA. All the long-term keys securing > the operating system updates you rely on, the DNSSEC key of the root > zone, ... are all 2048-bits. The threat models for 4096-bit RSA > look rather questionable to me. All I see when I see 4096-bit RSA > is a fashion statement. > > - You could even consider a 1024-bit RSA keys for less bloat, and > just roll a new key and selector every ~90-180 days. DKIM > verifiers use unauthenticated DNS to retrieve the key. It makes > little sense to be worried about ~0.5 million core-year attacks on > 1024-bit RSA just to forge some DKIM messages. ACK. On a sidenote: That's why the new technical guideline for email authentication from Germany's Federal Office for Information Security (BSI) will make it mandatory for any platform that wants to qualify for their upcoming TR-03182 standard to run the whole platform on (local) DNSSEC enabled resolvers. *If* a zone publishes its DNS using DNSSEC the qualifying platform must use the chance to use authenticated DNS when it retrieves key material or senderdomain email policies (SPF, DMARC). p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
