DKIM key rotation

[link2xt]

We cannot expect admins to rotate the key or change DNS records after setting up a server because, but there should be some way to do it. E.g. a command cmdeploy dns can always suggest to add next key and then if corresponding DKIM public key is already deployed make the server switch to it. Then just running cmdeploy dns from time to time and deploying DKIM records it suggests will rotate the keys at least eventually.

For reference: https://www.m3aawg.org/DKIMKeyRotation

[link2xt]

Let's close this for now as not planned.
We also have SSH server keys and TLS keys which are generated on the server.
SSH keys are difficult to rotate unless you create a CA or use DANE.
For TLS I am not sure if acmetool rotates it, opened an issue with a question: hlandau/acmetool#350

[link2xt]

Reopening the issue. It seems to be feasible to rotate DKIM keys automatically by asking the admin to delegate _domainkey subdomain to config.domain_name and running nsd locally just for this purpose. The only manual action needed is setting up NS record once then.

This will actually simplify the setup for admins because copying DKIM key is usually difficult, especially if DNS provider has bad web UI for this.

Debian has a dkim-rotate package described here:
https://diziet.dreamwidth.org/16025.html

[link2xt]

Testing NSD on c1.testrun.org.

/etc/nsd/nsd.conf:

server:
        # log only to syslog.
        log-only-syslog: yes

zone:
        name: "_domainkey.c1.testrun.org"
        zonefile: "/etc/nsd/chatmail.zone"

/etc/nsd/chatmail.zone:

$ORIGIN _domainkey.c1.testrun.org.
$TTL 86400

@  IN  SOA     c1.testrun.org. root.testrun.org (
        2024101901  ;Serial
        2H          ;Refresh
        3600        ;Retry
        1209600     ;Expire
        3600        ;Negative response caching TTL
)

; Nameservers
@  IN NS c1.testrun.org.

$INCLUDE /etc/dkimkeys/dkim.txt c1.testrun.org.

(have to explicitly specify that included file is for c1.testrun.org. as inside the OpenDKIM-generated file this is the expected origin while we only want to serve _domainkey.c1.testrun.org.)

/etc/dkimkeys/dkim.txt:

dkim._domainkey	IN	TXT	( "v=DKIM1; h=sha256; k=rsa; "
	  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAme8aWfYPitZja6m/ANq78pB1xUpx8MNbXa66RHMsU8n0CffAZ//oBSAwm6CgJFkkq0XuJgDVnsBSl2Mp1mqFbBidKhXv8b2j4SfxpG29aExUKuHffGcLocMOIMN4+mZXy2VTLW38yqBlLXYt4/QJB/zvyfWErhlC1lA4ZYfK3UMLwItdyRzoQYQvouLbIvidqELQxK/2L4eZsl"
	  "p79J9kcAq3UIzDiB5ToQeeTuykIBjdUwNNRDmIMAl/TYeo5HM+gwTNPiLoVPW6l1VfvZsxI15XwPY+6ifBkCM9JS+gEQMVoxAdR+UNouz632dSsm7fUZgQr3jx066E8/FrHIwPqwIDAQAB" )  ; ----- DKIM key dkim for c1.testrun.org

(autogenerated, had to change permissions of /etc/dkimkeys to 755 and /etc/dkimkeys/dkim.txt to 644 so NSD can access it).

With this configuration dig TXT dkim._domainkey.c1.testrun.org @c1.testrun.org works.

I also had to stop unbound because both nsd and unbound want to run on port 53. We will have to move unbound to another port like 5353 and point /etc/resolv.conf there).