[Rspamd-Users] rspamadm vault rollover
Vsevolod Stakhov
vsevolod at rspamd.com
Wed May 13 13:07:23 UTC 2020
On 13/05/2020 12:06, R.N.S. via Users wrote:
> Hi,
>
> I have used vault/consul for one domain in testing mode more than a year now. Yesterday I switched completely to vault/consul with all other domains.
>
> For the one domain that was in testing mode, I had called:
>
> rspamadm vault rollover roessner.email
>
> which generated a new rsa and ed25519 key. I imported the pub keys into DNS. So far so good.
>
> Today I ran:
>
> rspamadm vault rollover -r roessner.email
>
> in the hope that only expired keys would be removed, but unfortunately that generated a new pair rsa and ed25519 keys.
>
> I think I still do not understand the normal workflow.
>
> I decided to completely delete the keys for roessner.email and create two new ones. So I have a clear new starting position.
>
> But how to I have to process in future? Could someone please explain step-by-step the necessary commands? I have read the documentation on the website, but as you see, I still don't get it right.
>
> Would be nice to see it for
During rollover with TTL rspamd creates a new keypair and set an
existing keypair to expire in some time (can't remember exactly what was
that time - 1 day maybe).
For some amount of time, till an old keypair expires, Rspamd inserts 2
(or 4 with dual rsa-ed25519) DKIM signatures - for an old key and for a
new key. It is done to ensure that all DNS caches update public key to
verify new key properly.
Hence, new key generation is something that is absolutely expected from
a rollover procedure.
More information about the Users
mailing list