OpenDKIM : "key not secure"

Hi,

I’m currently fiddling with OpenDKIM under Rocky Linux 8. Currently I have OpenDKIM running on a CentOS 7 production server, and things are OK. My setup is documented here in my old archived blog:

I could manage to make this configuration work under Rocky Linux 8. But when I want to test my keys, I get the following result:

# opendkim-testkey -d slackbox.fr -s 01 -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '01._domainkey.slackbox.fr'
opendkim-testkey: key not secure
opendkim-testkey: key OK

Everything on my Rocky Linux 8 setup is exactly like it was under CentOS 7. Except now I get a key not secure response.

A brief Google search shows me that apparently this is due to the fact that I don’t use DNSSEC on my BIND DNS server.

I tried the setup anyway with my mail server, but unfortunately the online test shows me that DKIM is not working.

Does anybody here have experience with OpenDKIM ? Can you confirm that I now need DNSSEC to make it work ? I bluntly admit I know nothing about DNSSEC, except that I’m vaguely intimidated by it.

Any suggestions ?

It’s nothing to do with DNSSEC, I don’t have DNSSEC enabled, and I don’t have this problem.

Most likely it is the permissions on the key. Assuming your key is under /etc/opendkim/keys - then you need to set permissions on it to 600:

chmod 600 /etc/opendkim/keys/mydomain.private

or whatever the name of the file is.

I checked, and permissions on the key are already 0600. So the problem must be somewhere else. I’m clueless.

I checked some more, and I’m even more puzzled.

There was a problem with Postfix being unable to connect to OpenDKIM under the hood, but I could solve that with the right option in opendkim.conf.

Now DKIM seems to work and (most importantly) when I send a mail to check-auth@verifier.port25.com, the test succeeds and I get a nice DKIM = pass in response.

But still this key not secure warning as an answer to opendkim-testkey.

I’m puzzled.

Do you have a line like this in your opendkim.conf?

TrustAnchorFile       /usr/share/dns/root.key

mine is on a Debian system, so the path to this file might be different, as well as the name of this file. This file on my system has permissions 644.

To be honest I never used the test binary on my system, I just sent emails to see if they were signed and if gmail accepted them and verified it.

No, this line is not present. I came across this suggestion in another discussion though.

Actually that line doesn’t matter as far as I see. I commented it out, restart opendkim service, and ran the test and I don’t get that error. No idea why, but I definitely don’t use DNSSEC.

Which version of OpenDKIM do you run, and on what distribution ?

Opendkim 2.11.0 on Debian 11 Bullseye.