What exactly is a bogus key, and how to treat it correctly?

Question

I am currently trying to set up opendkim mainly as a verifier and have come across the following passage in the man page for its configuration file (man opendkim.conf):

BogusKey (string)
Instructs the filter to treat a passing signature associated with a bogus (forged) key in a special way. Possible values are neutral (return a "neutral" result), none (take no special action) and fail (return a "fail" result; this is the default).

I have thought a while about that passage, but I don't get it.

What exactly is a "bogus key" in that context? After all, a signature can only pass if it has been encrypted with the one private key which matches the signing domain's public key, which in turn is queried by the verifier upon verification. So how can a bogus key be associated with a passing signature?

score 1 · Accepted Answer · answered Apr 04 '20 at 12:32

I think your analysis is correct, but here it is just the man page description being a bit misleading. The bogus status refers to the DNSSEC key, not the DKIM key; compare the clearer description for the other, related parameter UnprotectedKey in the man page:

Instructs the filter to treat a passing signature associated with a key found in an insecure (i.e. not protected by DNSSEC) DNS record in a special way.

That is, ‘bogus’ and ‘unprotected’ or ‘insecure’ refer to the DNSSEC status as documented here: http://opendkim.org/libopendkim/dkim_dnssec.html

Ahhh - that explains it. Thank you very much, accepted and +1. And thanks for the link, too. — Binarus, Apr 04 '20 at 15:36

What exactly is a bogus key, and how to treat it correctly?

1 Answers1