dkim-rotate(5) | dkim-rotate(5) |
/etc/dkim-rotate/instance.zone - dkim-rotate configuration file
The config file for each instance is /etc/dkim-rotate/instance.zone for any instance. (When scanning for instances, only ones matching [a-z][-_0-9a-z]* are considered.)
Conventionally, the usual default instance is /etc/dkim-rotate/dkim.conf.
Each configuration file is, broadly speaking, in DNS zonefile syntax.
The config file should contain a SOA, suitable NS records, and any other records thought desirable.
The string ;!SERIAL must appear, immediately after some digits. It should appear once, in the SOA. dkim-rotate will replace the digits with a suitable serial number. The config file value is also used as the starting point for a new instance.
dkim-rotate will make a DNS zone out of this file, adding an DKIM TXT RR for each selector. (Directly in the zone, i.e., the generated zonefile will contain for example a TXT ...).
The zonefile’s prevailing TTL applies to the generated RRS, and can therefore be adjusted using the nameserver’s $TTL feature.
The config file should not normally contain MX records, because the dkim-rotate-managed zonefile should usually be a different zone to your principal mail domain zone(s). (See the Principles of Operation in dkim-rotate(7).)
$ORIGIN may be used to cause the dkim-rotate-generated RRs to appear as sub-labels of a sub-domain.
The config file also contains some special directives, on lines starting with !, which contain the configuration for dkim-rotate. These will be stripped out so that they don’t appear in the output zonefile gneerated by dkim-rotate.
The parameters for an existing instance may safely be adjusted. (Although, reducing max_selector does not take full effect immediately.)
This is used:
A warning will be generated if a supposedly-revealed key is found not to be accessible.
- can be used to indicate “none”. This will also suppress the corresponding note in the generated TXT RRs, and the informational outputs in the MTA configuration.
! mta_group identifier
Group that ought to be able to access DKIM private keys This should be a group which the MTA will have when it wishes to make a signature. For an Exim installation on Debian, `Debian-exim` is correct. This is used for the group ownership of
`/var/lib/dkim-rotate/INSTANCE/priv`. The permissions `0750` will be used if dkim-rotate needs to create the directory. (Otherwise dkim-rotate will just check that the directory doesn't have global execute.) If `mta_group` is set to `-`, dkim-rotate will skip the chgrp, and (if it is creating the directory) create as `0700`. (Within the `priv/` directory, the files have a world-readable mode, so it is the directory permission which controls access.)
Default is 12 (or, equivalently, l).
If the configuration for an existing instance is changed, to reduce max_selector, it will take a little while for dkim-rotate to stop using of the to-be-abolished selectors:
While the number of selectors in use is more than configured, dkim-rotate will print warnings. dkim-rotate --status can be used to verify whether old selectors are no longer in use, and therefore whether it is OK to remove associated DNS aliases etc.
duration is a number (possibly with decimal fraction) followed by one of the units s m h d w.
Default is 4h.
Default is 88h.
If instance specified on the command line as a pathname, there is no default for instance_var_dir: it must then be specified in the config file.
! dkim_txt tag list
The values for the `TXT` RR, in domainkeys tag-list format, not including the `p=`. (see [RFC6376](https://datatracker.ietf.org/doc/html/rfc6376#section-3.6.1)). dkim-rotate will append `; n=...; p=...` to this. Default is `v=DKIM1; h=sha256; s=email. where NOTE
! rsa_bits integer
Number of bits in generated RSA keys. (Currently, only RSA is supported.) Defaults to 2048.
! dns_reload shell command
Command to run to reload the nameserver, after the zonefile has been updated. Default: `rndc reload >/dev/null`.
! mta_reload shell command
Command to run to reload the MTA, after the DKIM signing configuration has been updated. Default: `true` (meaning, nothing needs to be done).
Copyright 2022 Ian Jackson and contributors to dkim-rotate.
There is NO WARRANTY.
SPDX-License-Identifier: GPL-3.0-or-later