diff --git a/default.nix b/default.nix index 374631b..3d13758 100644 --- a/default.nix +++ b/default.nix @@ -976,9 +976,9 @@ in dkimKeyBits = mkOption { type = types.int; - default = 1024; + default = 2048; description = '' - How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys. + How many bits in generated DKIM keys. RFC8301 suggests a minimum RSA key length of 2048 bit. If you have already deployed a key with a different number of bits than specified here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get diff --git a/docs/release-notes.rst b/docs/release-notes.rst index d4877e4..7a48dd4 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -7,9 +7,15 @@ NixOS 25.11 - The ``systemName`` and ``systemDomain`` options have been introduced to have reusable configurations for automated reports (DMARC, TLSRPT). They come with reasonable defaults, but it is suggested to check and change them as needed. +- The default key length for new DKIM RSA keys was increased to 2048 bits as + recommended in `RFC 8301 3.2`_. + We recommend rotating existing keys, as the RFC advises that signatures from + 1024 bit keys should not be considered valid any longer. - DMARC reports are now sent with the ``noreply-dmarc`` localpart from the system domain. +.. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2 + NixOS 25.05 -----------