[Rspamd-Users] DKIM failure if CNAME
Daniel Lysfjord
lysfjord.daniel at smokepit.net
Wed May 13 15:16:58 UTC 2020
Hi.
DKIM verification seems to fail whenever the DKIM selector is a CNAME.
Example:
csession; dkim_module_key_handler: cannot get key for domain
selector1._domainkey.hotmail.com: dns request to
selector1._domainkey.hotmail.com failed: requested record is not found
Although, when I check the DNS:
dig txt selector1._domainkey.hotmail.com
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.13.3-1+b1-Debian <<>> txt selector1._domainkey.hotmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8929
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 1764c329d46187c3010000005ebc0bf29f1740fbdd5b3cdf (good)
;; QUESTION SECTION:
;selector1._domainkey.hotmail.com. IN TXT
;; ANSWER SECTION:
selector1._domainkey.hotmail.com. 3049 IN CNAME
selector1._domainkey.outbound.protection.outlook.com.
selector1._domainkey.outbound.protection.outlook.com. 3049 IN TXT
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO/+UGvMbv7cPd/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+/pIhd2Xk/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"
"N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up/BlKzT6sCCrBihb/Bi3pZiEBB4Ui/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"
;; Query time: 0 msec
;; SERVER: 10.0.0.100#53(10.0.0.100)
;; WHEN: on. mai 13 17:02:10 CEST 2020
;; MSG SIZE rcvd: 606
When the selector is a TXT record, everything works as expected:
stored DKIM key for pf2014._domainkey.github.com in LRU cache for 3598
seconds, 14/2000 elements in the cache
dig txt pf2014._domainkey.github.com
; <<>> DiG 9.13.3-1+b1-Debian <<>> txt pf2014._domainkey.github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23504
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fe0ada55a0f453ec010000005ebc0d49873d475d42c139cd (good)
;; QUESTION SECTION:
;pf2014._domainkey.github.com. IN TXT
;; ANSWER SECTION:
pf2014._domainkey.github.com. 3599 IN TXT "v=DKIM1; k=rsa; t=y;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaCCQ+CiOqRkMAM/Oi04Xjhnxv3bXkTtA8KXt49RKQExLCmBxRpMp0PMMI73noKL/bZwEXljPO8HIfzG43ntPp1QRBUpn1UEvbp1/rlWPUop3i1j6aUpjxYGHEEzgmT+ncLUBDEPO4n4Zzt36DG3ZcJaLhvKtRkk2off5XD+BMvQIDAQAB"
;; Query time: 77 msec
;; SERVER: 10.0.0.100#53(10.0.0.100)
;; WHEN: on. mai 13 17:07:53 CEST 2020
;; MSG SIZE rcvd: 337
Testing with some online DKIM validator services (and other rspamd
instances earlier in the mailing list chain), everything seems to work
as intended. This indicates the issue is on my side. Probably a
misconfiguration somewhere. If anyone has any idea what can cause this,
please let me know.
Note: All the problematic selectors also causes dig to go into TCP mode
due to truncation. Can this be the source of the problem?
More information about the Users
mailing list