Page MenuHomePhabricator
Create Task
Maniphest T210445

Stronger DKIM key for fundraising emails?
Closed, ResolvedPublic
Actions

Description

IBM is now allowing us to use stronger DKIM keys (2048 characters, SHA256). I believe the current key is only 1024 with SHA1. We had them spin one up for us, and they will let us know in 3-4 months when we can delete the old DNS record. Any reason why we should not add this new one?

spop2048._domainkey.wikimedia.org

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Z2VWoyhd44UxaCnnaohFF3rFTYgad2onWyv9k4Jot/wNLR6GRSOV2MeZ84ypFP0xtMrzxVCTYSARdgMggoNSBP1TT4orhaOmJc9vbPsKUzJmYV6LHIxWP4QYcQJ26MLgQz6Cmj0l/E5wrxiIJIbPSHejQtZasDSsg+tsHjPL8jvUll29KF5rBdMKAd0nZvq1K1dp+FeoBh3J6eNoJiV4OdSTmMf3hXIrk6AwVE57eYz155SKpaDRYSO0d1CJnl0qoh38yG3saV6Hl0y+5HprsQ1rSTK4PNbWe3v1wCz1Aa8m5s1cbo1iK06v2F49jOIn0/HKAUZMaP9LXeapab2yQIDAQAB

-----END PUBLIC KEY-----

Details

SubjectRepoBranchLines +/-
Add SHA256 selector record for fundraising mail contractor (IBM/Silverpop).operations/dnsmaster+2 -1
Customize query in gerrit

Related Objects

Event Timeline

CCogdill_WMF created this task.Nov 26 2018, 8:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2018, 8:16 PM
DStrine changed the visibility from "Public (No Login Required)" to "acl*WMF-FR (Project)".Nov 26 2018, 8:17 PM
DStrine added a project: fundraising-tech-ops.Nov 26 2018, 8:37 PM
DStrine moved this task from Triage to FR-Ops on the Fundraising-Backlog board.
Jgreen added a project: Mail.Dec 10 2018, 5:23 PM
Jgreen subscribed.

I think this is fine/good. Adding the Mail tag so SRE folks will see this and comment.

Jgreen added a project: SRE.Dec 19 2018, 7:06 PM
Jgreen claimed this task.Jan 7 2019, 9:25 PM
CCogdill_WMF added a comment.Jan 7 2019, 9:58 PM

Adding @bsisolak from Trilogy.

CCogdill_WMF added a subscriber: bsisolak.Jan 7 2019, 9:59 PM
Jgreen changed the visibility from "acl*WMF-FR (Project)" to "Public (No Login Required)".Jan 7 2019, 10:13 PM
bsisolak added a comment.Jan 9 2019, 9:28 PM

The key is correct, and IBM will validate it before turing it live. I would recommend in four months, you remove the old key.

gerritbot subscribed.Jan 9 2019, 10:03 PM

Change 483294 had a related patch set uploaded (by Jgreen; owner: Jgreen):
[operations/dns@master] Add SHA256 selector record for fundraising mail contractor (IBM/Silverpop).

https://gerrit.wikimedia.org/r/483294

gerritbot added a project: Patch-For-Review.Jan 9 2019, 10:03 PM
Jgreen added a comment.Jan 9 2019, 10:11 PM
In T210445#4867613, @bsisolak wrote:

The key is correct, and IBM will validate it before turing it live. I would recommend in four months, you remove the old key.

Great, thanks for confirming. I submitted the DNS change for code review, and will let you know when it's been deployed.

gerritbot added a comment.Jan 14 2019, 1:47 PM

Change 483294 merged by Jgreen:
[operations/dns@master] Add SHA256 selector record for fundraising mail contractor (IBM/Silverpop).

https://gerrit.wikimedia.org/r/483294

Stashbot subscribed.Jan 14 2019, 1:49 PM

Mentioned in SAL (#wikimedia-operations) [2019-01-14T13:49:05Z] <Jeff_Green> authdns update for T210445

Jgreen added a comment.Jan 14 2019, 1:50 PM
In T210445#4867737, @Jgreen wrote:
In T210445#4867613, @bsisolak wrote:

The key is correct, and IBM will validate it before turing it live. I would recommend in four months, you remove the old key.

Great, thanks for confirming. I submitted the DNS change for code review, and will let you know when it's been deployed.

@bsisolak this has been merged and you can switch to the new key.

bsisolak added a comment.Jan 22 2019, 10:42 PM

IBM validated the DNS setting, and is using the new key:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=spop2048; d=wikimedia.org; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; i=donate@wikimedia.org; bh=fTEmUj6m8fR5rd8C8iZiEJxzqJo=; b=KD6APEIqjV81Adb0YdZb01sqTlRTJvoKCaRAzB4fM8o9oU4rtwbT6Ik9BZTsW/8H/jZS49weieQP

+UHR1Za8p3hLqoMRYheIHbGvFgsBqrmUDldjTVIQkrOlPOH5UyO4kx8k1M0TAmmryOIJOSPvkzNz
gTupAmY5pdzrIykecQkcm3pB7Kh+/E9fqGU+uch9AAVt7+eAYkn1O9SjJNq5gjcYl2v851Bpf5LD
YdYN+W66gPLyYq3ZV6iz4FCzGGp5SXI3gLQaW03SNSkCTWmvVK97BqeHqMCafy1kOTM2a4hahECu
lcA0j+dAqMfT7SfnGZCBYXZYIOrDcEfBxSFfCA==

Not sure the best way to do this, but someone should set a timer and remove the old DNS entry in three months time.

Jgreen added a comment.Jan 23 2019, 8:18 PM
In T210445#4900745, @bsisolak wrote:

Not sure the best way to do this, but someone should set a timer and remove the old DNS entry in three months time.

I'll put it on the calendar for April 22, and make sure it gets done!

Jgreen mentioned this in T214525: remove IBM/Silverpop 1024-bit domain key.Jan 23 2019, 9:18 PM
Jgreen closed this task as Resolved.Jan 23 2019, 9:37 PM

Opened T214525 to schedule removal of the deprecated 1024-bit key on 2019-04-22.

Dwisehaupt moved this task from Triage to Done on the fundraising-tech-ops board.Feb 13 2020, 9:31 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 13 2020, 10:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits