1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
opendkim-genzone: fix nsupdate output
This patch addresses several issues with the nsupdate output:
o Add the correct fields (v=DKIM1, etc) before the key
o Properly break fields into 255 byte chunks
o Add the possibility to restrict the key to email signing
Based on an original patch by Marco Favero as posted at:
https://sourceforge.net/p/opendkim/feature-requests/200/
Bug: https://sourceforge.net/p/opendkim/feature-requests/200/
--- a/opendkim/opendkim-genzone.8.in
+++ b/opendkim/opendkim-genzone.8.in
@@ -7,6 +7,7 @@
[\-C address]
[\-d domain]
[\-D]
+[\-M]
[\-E secs]
[\-F]
[\-N ns[,...]]
@@ -64,6 +65,10 @@
.I \-D
Adds a "._domainkey" suffix to selector names in the zone file.
.TP
+.I \-M
+Restricts the keys for use in e-mail signing only. The default is to allow
+the keys to be used for any service.
+.TP
.I \-E secs
When generating an SOA record (see
.I \-S
--- a/opendkim/opendkim-genzone.c
+++ b/opendkim/opendkim-genzone.c
@@ -52,7 +52,7 @@
/* definitions */
#define BUFRSZ 1024
-#define CMDLINEOPTS "C:d:DE:Fo:N:r:R:sSt:T:uvx:"
+#define CMDLINEOPTS "C:d:DME:Fo:N:r:R:sSt:T:uvx:"
#define DEFCONFFILE CONFIG_BASE "/opendkim.conf"
#define DEFEXPIRE 604800
#define DEFREFRESH 10800
@@ -195,6 +195,7 @@
"\t-D \tinclude '._domainkey' suffix\n"
"\t-E secs \tuse specified expiration time in SOA\n"
"\t-F \tinclude '._domainkey' suffix and domainname\n"
+ "\t-M \trestricts the keys for use in e-mail signing only\n"
"\t-o file \toutput file\n"
"\t-N ns[,...] \tlist NS records\n"
"\t-r secs \tuse specified refresh time in SOA\n"
@@ -230,6 +231,7 @@
_Bool fqdnsuffix = FALSE;
_Bool subdomains = FALSE;
_Bool writesoa = FALSE;
+ _Bool mailrestrict = FALSE;
int c;
int status;
int verbose = 0;
@@ -309,6 +311,10 @@
fqdnsuffix = TRUE;
break;
+ case 'M':
+ mailrestrict = TRUE;
+ break;
+
case 'N':
nameservers = strdup(optarg);
break;
@@ -873,42 +879,42 @@
fprintf(out, "zone %s\n", domain);
snprintf(tmpbuf, sizeof tmpbuf,
- "update add %s%s%s%s%s %d TXT \"",
+ "update add %s%s%s%s%s %d TXT \"v=DKIM1\\;k=rsa\\;%sp=",
selector, suffix ? DKIMZONE : "",
fqdnsuffix ? "." : "",
fqdnsuffix ? domain : "",
fqdnsuffix ? "." : "",
- ttl == -1 ? defttl : ttl);
+ ttl == -1 ? defttl : ttl,
+ mailrestrict ? "s=email\\;" : "");
}
else
{
if (ttl == -1)
{
snprintf(tmpbuf, sizeof tmpbuf,
- "%s%s%s%s%s\tIN\tTXT\t( \"v=DKIM1; k=rsa; p=",
+ "%s%s%s%s%s\tIN\tTXT\t( \"v=DKIM1\\;k=rsa\\;%sp=",
selector, suffix ? DKIMZONE : "",
fqdnsuffix ? "." : "",
fqdnsuffix ? domain : "",
- fqdnsuffix ? "." : "");
+ fqdnsuffix ? "." : "",
+ mailrestrict ? "s=email\\;" : "");
}
else
{
snprintf(tmpbuf, sizeof tmpbuf,
- "%s%s%s%s%s\t%d\tIN\tTXT\t( \"v=DKIM1; k=rsa; p=",
+ "%s%s%s%s%s\t%d\tIN\tTXT\t( \"v=DKIM1\\;k=rsa\\;%sp=",
selector, suffix ? DKIMZONE : "",
fqdnsuffix ? "." : "",
fqdnsuffix ? domain : "",
fqdnsuffix ? "." : "",
- ttl);
+ ttl,
+ mailrestrict ? "s=email\\;" : "");
}
}
fprintf(out, "%s", tmpbuf);
- if (nsupdate)
- olen = 0;
- else
- olen = strflen(tmpbuf);
+ olen = strflen(strstr(tmpbuf, "v=DKIM1"));
seenlf = FALSE;
|
