Facebook
TwitterDear all,
given that Plesk support DKIM key signing, I was wondering how I can actually generate new keys for a domain which already uses keys. In contrast to DNSSEC, where the procedure for rolling over keys is implemented and documented (Using DNSSEC (Linux)), I did not find anything with regard to how this works for DKIM.
Re-creating keys for DKIM could be necessary for instance when keys are compromised or when you want to change the key length. Thus, my questions related to the DKIM Keys are:
- How can I set specific parameters such as the key length and algorithm to be used when (automatically) generating the key?
- For regular roll-overs it is advised to keep the old key for a while until the new key is properly propagated and all mails using the old key are delivered. Thus, the new key should use a different selector and the old key & selector should only be deleted some days later. I assume this is not yet implemented? When disabling and enabling DKIM a new key is created but using the same selector.
One more question: DKIM, SPF, and DMARC Protection explains that the _ domainkey.<example.com> contains the DKIM Policy. Isn't this an outdated DNS record which was only used for the old version of (Yahoo) Domain Keys?
given that Plesk support DKIM key signing, I was wondering how I can actually generate new keys for a domain which already uses keys. In contrast to DNSSEC, where the procedure for rolling over keys is implemented and documented (Using DNSSEC (Linux)), I did not find anything with regard to how this works for DKIM.
Re-creating keys for DKIM could be necessary for instance when keys are compromised or when you want to change the key length. Thus, my questions related to the DKIM Keys are:
- How can I set specific parameters such as the key length and algorithm to be used when (automatically) generating the key?
- For regular roll-overs it is advised to keep the old key for a while until the new key is properly propagated and all mails using the old key are delivered. Thus, the new key should use a different selector and the old key & selector should only be deleted some days later. I assume this is not yet implemented? When disabling and enabling DKIM a new key is created but using the same selector.
One more question: DKIM, SPF, and DMARC Protection explains that the _ domainkey.<example.com> contains the DKIM Policy. Isn't this an outdated DNS record which was only used for the old version of (Yahoo) Domain Keys?
