0

If I run sudo opendkim-testkey -d mydomain.com -s selector -vvv, I get

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'selector._domainkey.mydomain.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

and I can't figure out how to fix "key not secure".

If I do dig selector._domainkey.mydomain.com TXT +dnssec then the ad flag is missing from the answer.

The setting TrustAnchorFile /usr/share/dns/root.key is enabled in /etc/opendkim.conf.

Running ls -ls in the directory /etc/opendkim/keys/mydomain.com shows

4 -rw------- 1 opendkim opendkim 1708 Mar  7 15:32 selector.private
4 -rw------- 1 opendkim opendkim  507 Mar  7 15:32 selector.txt

Running ls -ls in the directory /etc/opendkim/keys shows

4 drwxr-xr-x 2 opendkim opendkim 4096 Mar  7 15:32 mydomain.com

Running ls -ls in the directory /etc/opendkim shows

4 drwxr-x--- 3 opendkim opendkim 4096 Mar  7 15:32 keys
4 -rw-r--r-- 1 opendkim opendkim  106 Mar  7 15:31 key.table
4 -rw-r--r-- 1 opendkim opendkim   44 Mar  7 15:31 signing.table
4 -rw-r--r-- 1 opendkim opendkim   31 Mar  7 15:32 trusted.hosts

Running Ubuntu 22.04.2 LTS.

Related questions that do not solve the problem (and on which I do not have sufficient board cred to comment):

glts
  • 897
  • 5
  • 17
Robert K S
  • 3
  • 2

1 Answers1

1

As explained in the other Q&A’s, this just means that that key is being retrieved without DNSSEC being used.

It doesn’t mean anything is broken or needs to be fixed.

If you like you can set up DNSSEC for your domain (or let your DNS provider do it for you), then you should see key secure.

glts
  • 897
  • 5
  • 17