Hi @Asaf:

The CNAME here specifies wikimedia.org but I think it should be learn.wiki here. So instead of:

Cname: v3o5dlecov5umdnmw3mx7kh4x52e2kfh._domainkey.wikimedia.org
Value: v3o5dlecov5umdnmw3mx7kh4x52e2kfh.dkim.amazonses.com

it should be:

Cname: v3o5dlecov5umdnmw3mx7kh4x52e2kfh._domainkey.learn.wiki
Value: v3o5dlecov5umdnmw3mx7kh4x52e2kfh.dkim.amazonses.com

This matches the existing records as well. Can you please check/confirm?

Change #1034565 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/dns@master] add additional Amazon domainkey value to learn.wiki domain

https://gerrit.wikimedia.org/r/1034565

Yes, agreed. Our vendor made a mistake, and I pasted it verbatim. 😅

Hi @Asaf

I have this change in code review now, adding 3 new values.

https://gerrit.wikimedia.org/r/c/operations/dns/+/1034565/4/templates/learn.wiki

I am slightly wondering if we are just adding 3 more or replacing 3 old ones. But that's not a big concern either way.

Optionally, if this looks right to you, feel free to hit +1 on Gerrit, but not needed for this to move forward soon.

Daniel

Our vendor tells me they did in fact mean wikimedia.org, in order to be able to use our team email (comdevteam@wikimedia.org) as the sender in WikiLearn emails. Is there a concern with registering the CNAMEs as originally requested?

If you want to send from the wikimedia.org domain, then yes, that's what you will need. There is no concern with the records themselves.

In that case, I apologize for the confusion I created. We do want to send from comdevteam@wikimedia.org, so please amend the patch to the original CNAMEs requested.

Change #1034565 abandoned by Dzahn:

[operations/dns@master] add additional Amazon domainkey values to learn.wiki domain

Reason:

saw additional comments now - in that case I'll have to refer to others

https://gerrit.wikimedia.org/r/1034565

Hi @jhathaway: I wanted to get your input about this. The request here is to add a DKIM record for wikimedia.org so that learn.wiki can allow sending email from comdevteam@wikimedia.org. The CNAMEs above look fine so there are no concerns with that.

The concern we (as I am reflecting some internal concerns here as well) is that this will allow learn.wiki to sign emails on our behalf. These concerns are similar to the ones listed in T231387 and the only SES DKIM record we have in the wikimedia.org zone file,

; Mail records for pr.wikimedia.org
pr   1H IN MX 10 mx1001
pr   1H IN MX 10 mx2001
pr   1H IN TXT "amazonses:QeZasSSTVw5sDiCQmdzG4z4UuLgkRtceplXtv2SI2BY="
lecokkzzn6akfzusmban7ufr6xw2g5ye._domainkey.pr  1H IN CNAME lecokkzzn6akfzusmban7ufr6xw2g5ye.dkim.amazonses.com.
kilujm6hbzryz5wrq5l3dkb5la5rrxgc._domainkey.pr  1H IN CNAME kilujm6hbzryz5wrq5l3dkb5la5rrxgc.dkim.amazonses.com.
4njdxtpft2kiksyew6qbqcxnxip4cjer._domainkey.pr  1H IN CNAME 4njdxtpft2kiksyew6qbqcxnxip4cjer.dkim.amazonses.com.

Do we have a good, safe way of handling this request and does this concern make sense?

@Asaf: The above is some context on why this change requires more input but I wanted to ask you if this can be sent from learn.wiki, so comdevteam@learn.wiki instead, or is the requirement for this to be wikimedia.org?

@ssingh thanks for raising your concerns. I agree that our concerns are similar to those in T231387 and @mark's recommendations are largely applicable.

Possible options to limit the blast radius of a comprimised server:

1. Use an email address with the learn.wiki domain
2. Use a subdomain of wikimedia.org, e.g. learn.wikimedia.org, with separate dkim keys
3. Use our authenticated SMTP relays. These relays allow us to restrict you to sending only as comdevteam@wikimedia.org

Thank you. We will look into setting up email on learn.wiki with our vendor, and update the ticket when we learn if that's feasible.

Hi @Asaf: Is there an update to this? We are cleaning up and triaging the tasks and so the context is if there is anything required from our end, of if there is an update from yours.