Merge branch 'dkim-rsa2048' into 'master'

Increase default DKIM key bits to 2048 Closes #333 See merge request simple-nixos-mailserver/nixos-mailserver!442
2025-08-22 20:42:21 +00:00 · 2025-08-22 20:42:21 +00:00 · 958c112fba
commit 958c112fba
parent 2be40a9653 2204f55329
2 changed files with 8 additions and 2 deletions
--- a/default.nix
+++ b/default.nix
@ -976,9 +976,9 @@ in
    dkimKeyBits = mkOption {
      type = types.int;
-      default = 1024;
+      default = 2048;
      description = ''
-        How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
+        How many bits in generated DKIM keys. RFC8301 suggests a minimum RSA key length of 2048 bit.
        If you have already deployed a key with a different number of bits than specified
        here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@ -7,9 +7,15 @@ NixOS 25.11
 - The ``systemName`` and ``systemDomain`` options have been introduced to have
  reusable configurations for automated reports (DMARC, TLSRPT). They come with
  reasonable defaults, but it is suggested to check and change them as needed.
 - The default key length for new DKIM RSA keys was increased to 2048 bits as
  recommended in `RFC 8301 3.2`_.
  We recommend rotating existing keys, as the RFC advises that signatures from
  1024 bit keys should not be considered valid any longer.
 - DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
  system domain.
 .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
 NixOS 25.05
 -----------