Migrating DKIM keys

julienp · Post by **julienp** » Sat Mar 11, 2023 11:34 pm

Hi,

For a migration from one server to another, I am looking for a way to export DKIM keys from the original server to then import them on the new server.

I believe the keys are stored in ldap and see from the wiki https://wiki.zimbra.com/wiki/Configurin ... IM_Signing that we can view the existing keys using the /opt/zimbra/libexec/zmdkimkeyutil -q -d mydomain.com

The above commands provides the selector and both private and public keys.
But I do not see an option to import that data on a new server. the zmdkimkeyutil command only seems to allow generating new selectors and keys. Is there a way to import a selector and keys?

Regards

phoenix · Post by **phoenix** » Sun Mar 12, 2023 7:58 am

Why not take the easy route and build new DKIM keys, it's not that difficult.

julienp · Post by **julienp** » Sun Mar 12, 2023 1:09 pm

Well building new DKIM keys means then updating all the DNS records, manually and one by one. Not necessarily easy and can be error prone.

Whereas importing the keys would be fast, simpler, and less error prone.

ghen · Post by **ghen** » Sun Mar 12, 2023 3:58 pm

DKIM keys are meant to be rotated and not kept indefinitely. Migrating to a new server is a good opportunity to generate new keys.
Note that you don't have to replace the current public key in DNS, you just add the new one, and let them co-exist (each one identified by a unique selector).

L. Mark Stone · Post by **L. Mark Stone** » Sun Mar 12, 2023 6:11 pm

ghen wrote:DKIM keys are meant to be rotated and not kept indefinitely.

THANK YOU for saying this explicitly!!

Almost all keys should be rotated periodically IMHO.

All the best,
Mark

julienp · Post by **julienp** » Wed Mar 15, 2023 8:37 am

Rotating keys regularly definitely makes sense.

But rotating keys as part of a migration is not optimal IMHO, it is just another source of potential errors and issues to troubleshoot during a migration process.
During a migration I think the KIS rule should apply: the more you reduce the surface of potential sources of issues, the better a migration procedure will be.

Furthermore DNS can be owned by different actors and teams. It can mean that potentially a migration organisation is more complex because of the people involved.
It can also mean that a migration will fail if poorly planned and not all the correct people are involved. That's not even taking into account situations where DNS records are configured via different Registry services or different DNS services.

The main gap I think currently is that we cannot even import the private keys into a new server. That would enable a migration without any need to make changes on the DNS records.

rainer_d · Post by **rainer_d** » Mon Nov 20, 2023 1:33 pm

The worst is (IMHO) anyway that there is no GUI or API command to manage DKIM-keys.

It has to be done on the shell.

slacker1337 · Post by **slacker1337** » Sat Dec 02, 2023 11:23 am

It's technically possible to migrate/replace existing DKIM keys using zmprov, no need to use LDAP directly. All you need is to replace domain attributes: DKIMKey, DKIMPublicKey, DKIMSelector with correct values from another Zimbra server.

Zimbra Forums

Migrating DKIM keys

Migrating DKIM keys

Re: Migrating DKIM keys

Re: Migrating DKIM keys

Re: Migrating DKIM keys

Re: Migrating DKIM keys

Re: Migrating DKIM keys

Re: Migrating DKIM keys

Re: Migrating DKIM keys