Page MenuHomePhabricator

Stronger DKIM key for fundraising emails?
Closed, ResolvedPublic

Description

IBM is now allowing us to use stronger DKIM keys (2048 characters, SHA256). I believe the current key is only 1024 with SHA1. We had them spin one up for us, and they will let us know in 3-4 months when we can delete the old DNS record. Any reason why we should not add this new one?

spop2048._domainkey.wikimedia.org

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Z2VWoyhd44UxaCnnaohFF3rFTYgad2onWyv9k4Jot/wNLR6GRSOV2MeZ84ypFP0xtMrzxVCTYSARdgMggoNSBP1TT4orhaOmJc9vbPsKUzJmYV6LHIxWP4QYcQJ26MLgQz6Cmj0l/E5wrxiIJIbPSHejQtZasDSsg+tsHjPL8jvUll29KF5rBdMKAd0nZvq1K1dp+FeoBh3J6eNoJiV4OdSTmMf3hXIrk6AwVE57eYz155SKpaDRYSO0d1CJnl0qoh38yG3saV6Hl0y+5HprsQ1rSTK4PNbWe3v1wCz1Aa8m5s1cbo1iK06v2F49jOIn0/HKAUZMaP9LXeapab2yQIDAQAB

-----END PUBLIC KEY-----

Details

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2018, 8:16 PM
DStrine changed the visibility from "Public (No Login Required)" to "acl*WMF-FR (Project)".Nov 26 2018, 8:17 PM
DStrine moved this task from Triage to FR-Ops on the Fundraising-Backlog board.
Jgreen added a subscriber: Jgreen.

I think this is fine/good. Adding the Mail tag so SRE folks will see this and comment.

Jgreen claimed this task.Jan 7 2019, 9:25 PM

Adding @bsisolak from Trilogy.

Jgreen changed the visibility from "acl*WMF-FR (Project)" to "Public (No Login Required)".Jan 7 2019, 10:13 PM

The key is correct, and IBM will validate it before turing it live. I would recommend in four months, you remove the old key.

Change 483294 had a related patch set uploaded (by Jgreen; owner: Jgreen):
[operations/dns@master] Add SHA256 selector record for fundraising mail contractor (IBM/Silverpop).

https://gerrit.wikimedia.org/r/483294

The key is correct, and IBM will validate it before turing it live. I would recommend in four months, you remove the old key.

Great, thanks for confirming. I submitted the DNS change for code review, and will let you know when it's been deployed.

Change 483294 merged by Jgreen:
[operations/dns@master] Add SHA256 selector record for fundraising mail contractor (IBM/Silverpop).

https://gerrit.wikimedia.org/r/483294

Mentioned in SAL (#wikimedia-operations) [2019-01-14T13:49:05Z] <Jeff_Green> authdns update for T210445

The key is correct, and IBM will validate it before turing it live. I would recommend in four months, you remove the old key.

Great, thanks for confirming. I submitted the DNS change for code review, and will let you know when it's been deployed.

@bsisolak this has been merged and you can switch to the new key.

IBM validated the DNS setting, and is using the new key:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=spop2048; d=wikimedia.org; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; i=donate@wikimedia.org; bh=fTEmUj6m8fR5rd8C8iZiEJxzqJo=; b=KD6APEIqjV81Adb0YdZb01sqTlRTJvoKCaRAzB4fM8o9oU4rtwbT6Ik9BZTsW/8H/jZS49weieQP

+UHR1Za8p3hLqoMRYheIHbGvFgsBqrmUDldjTVIQkrOlPOH5UyO4kx8k1M0TAmmryOIJOSPvkzNz
gTupAmY5pdzrIykecQkcm3pB7Kh+/E9fqGU+uch9AAVt7+eAYkn1O9SjJNq5gjcYl2v851Bpf5LD
YdYN+W66gPLyYq3ZV6iz4FCzGGp5SXI3gLQaW03SNSkCTWmvVK97BqeHqMCafy1kOTM2a4hahECu
lcA0j+dAqMfT7SfnGZCBYXZYIOrDcEfBxSFfCA==

Not sure the best way to do this, but someone should set a timer and remove the old DNS entry in three months time.

Not sure the best way to do this, but someone should set a timer and remove the old DNS entry in three months time.

I'll put it on the calendar for April 22, and make sure it gets done!

Jgreen closed this task as Resolved.Jan 23 2019, 9:37 PM

Opened T214525 to schedule removal of the deprecated 1024-bit key on 2019-04-22.