[Rspamd-Users] rspamadm vault rollover

Vsevolod Stakhov vsevolod at rspamd.com
Wed May 13 13:07:23 UTC 2020

On 13/05/2020 12:06, R.N.S. via Users wrote:
> Hi,
> I have used vault/consul for one domain in testing mode more than a year now. Yesterday I switched completely to vault/consul with all other domains.
> For the one domain that was in testing mode, I had called:
> rspamadm vault rollover roessner.email
> which generated a new rsa and ed25519 key. I imported the pub keys into DNS. So far so good.
> Today I ran:
> rspamadm vault rollover -r roessner.email
> in the hope that only expired keys would be removed, but unfortunately that generated a new pair rsa and ed25519 keys.
> I think I still do not understand the normal workflow.
> I decided to completely delete the keys for roessner.email and create two new ones. So I have a clear new starting position.
> But how to I have to process in future? Could someone please explain step-by-step the necessary commands? I have read the documentation on the website, but as you see, I still don't get it right.
> Would be nice to see it for

During rollover with TTL rspamd creates a new keypair and set an
existing keypair to expire in some time (can't remember exactly what was
that time - 1 day maybe).

For some amount of time, till an old keypair expires, Rspamd inserts 2
(or 4 with dual rsa-ed25519) DKIM signatures - for an old key and for a
new key. It is done to ensure that all DNS caches update public key to
verify new key properly.

Hence, new key generation is something that is absolutely expected from
a rollover procedure.

More information about the Users mailing list