[Rspamd-Users] rspamadm vault rollover

lists at mlserv.org lists at mlserv.org
Wed May 13 16:29:07 UTC 2020 


> Am 13.05.2020 um 15:07 schrieb Vsevolod Stakhov <vsevolod at rspamd.com>:
> 
> On 13/05/2020 12:06, R.N.S. via Users wrote:
>> Hi,
>> 
>> I have used vault/consul for one domain in testing mode more than a year now. Yesterday I switched completely to vault/consul with all other domains.
>> 
>> For the one domain that was in testing mode, I had called:
>> 
>> rspamadm vault rollover roessner.email
>> 
>> which generated a new rsa and ed25519 key. I imported the pub keys into DNS. So far so good.
>> 
>> Today I ran:
>> 
>> rspamadm vault rollover -r roessner.email
>> 
>> in the hope that only expired keys would be removed, but unfortunately that generated a new pair rsa and ed25519 keys.
>> 
>> I think I still do not understand the normal workflow.
>> 
>> I decided to completely delete the keys for roessner.email and create two new ones. So I have a clear new starting position.
>> 
>> But how to I have to process in future? Could someone please explain step-by-step the necessary commands? I have read the documentation on the website, but as you see, I still don't get it right.
>> 
>> Would be nice to see it for
> 
> During rollover with TTL rspamd creates a new keypair and set an
> existing keypair to expire in some time (can't remember exactly what was
> that time - 1 day maybe).
> 
> For some amount of time, till an old keypair expires, Rspamd inserts 2
> (or 4 with dual rsa-ed25519) DKIM signatures - for an old key and for a
> new key. It is done to ensure that all DNS caches update public key to
> verify new key properly.
> 
> Hence, new key generation is something that is absolutely expected from
> a rollover procedure.

I would expect new key generation, if not given the -r flag, because this says that it removes expired keys.

If I call:

rspamadm vault rollover example.com

it generates two new keys as you said. Do I have to remove the expired keys 1 or 2 days later manually or does this happen automatically? If the latter is true, then rollover call as shown is enough, right?

Christian

> 
> -- 
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

-- 
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5

More information about the Users mailing list