~sircmpwn/sr.ht-discuss

14 5

DKIM fail?

Details
Message ID
<C2DVC56U0UJ8.27N40WXPIN7LN@hexx>
DKIM signature
fail
Download raw message
DKIM signature: fail
I've noticed that emails I send into the mailing lists appear to fail the
DKIM check.

Authntication-Results: mail-b.sr.ht;
    dkim=fail reason="key not found in DNS" (0-bit key)
    header.d=dreamfall.space header.i=@dreamfall.space header.b=aOuM6fUC

However my DNS from what I can tell is setup correctly and it does pass
elsewhere. Is this something on the sr.ht side not finding the zone for my
domain?
Details
Message ID
<sU3fWnxfwwCKM_QxZ5IAjAqtPEDsHjj2yk3X24fRHJ_YFZJtgBiXiaDiClu59ZO3DWBxUfOrbbY-Dako-HMLOBUg4gTu-9cFZXRLcUxAUn4=@emersion.fr>
In-Reply-To
<C2DVC56U0UJ8.27N40WXPIN7LN@hexx> (view parent)
DKIM signature
pass
Download raw message
On Wednesday, April 29, 2020 7:30 PM, Morgan McMillian <thrrgilag@dreamfall.space> wrote:

> I've noticed that emails I send into the mailing lists appear to fail the
> DKIM check.
>
> Authntication-Results: mail-b.sr.ht;
> dkim=fail reason="key not found in DNS" (0-bit key)
> header.d=dreamfall.space header.i=@dreamfall.space header.b=aOuM6fUC
>
> However my DNS from what I can tell is setup correctly and it does pass
> elsewhere. Is this something on the sr.ht side not finding the zone for my
> domain?

Indeed, my own mail server verifies your signature as well, and I can
verify it locally too. I'll continue investigating and let you know if
I find anything.
Details
Message ID
<1RbDFtkMY781fnjy40QGA6WgoEnXrZfOH6USJX4Y__RxdtEL9LuZy-MiT2sZVk1Y7QU-aEzo47Hm6RglbSAyWHNC8evbKEphuZk1s5A9X3M=@emersion.fr>
In-Reply-To
<sU3fWnxfwwCKM_QxZ5IAjAqtPEDsHjj2yk3X24fRHJ_YFZJtgBiXiaDiClu59ZO3DWBxUfOrbbY-Dako-HMLOBUg4gTu-9cFZXRLcUxAUn4=@emersion.fr> (view parent)
DKIM signature
pass
Download raw message
On Wednesday, April 29, 2020 8:55 PM, Simon Ser <contact@emersion.fr> wrote:

> On Wednesday, April 29, 2020 7:30 PM, Morgan McMillian thrrgilag@dreamfall.space wrote:
>
> > I've noticed that emails I send into the mailing lists appear to fail the
> > DKIM check.
> > Authntication-Results: mail-b.sr.ht;
> > dkim=fail reason="key not found in DNS" (0-bit key)
> > header.d=dreamfall.space header.i=@dreamfall.space header.b=aOuM6fUC
> > However my DNS from what I can tell is setup correctly and it does pass
> > elsewhere. Is this something on the sr.ht side not finding the zone for my
> > domain?
>
> Indeed, my own mail server verifies your signature as well, and I can
> verify it locally too. I'll continue investigating and let you know if
> I find anything.

Progress: it seems 1.1.1.1 doesn't see/accept your DNS TXT record. On
my machine, this works:

    drill TXT rincewind._domainkey.dreamfall.space

But this doesn't:

    drill TXT rincewind._domainkey.dreamfall.space @1.1.1.1

Since 1.1.1.1 is a DNSSEC validating server, maybe there's something
wrong with your DNSSEC configuration?
Details
Message ID
<c8a08a50-1741-62ce-91fb-7e6b8e223187@interia.pl>
In-Reply-To
<1RbDFtkMY781fnjy40QGA6WgoEnXrZfOH6USJX4Y__RxdtEL9LuZy-MiT2sZVk1Y7QU-aEzo47Hm6RglbSAyWHNC8evbKEphuZk1s5A9X3M=@emersion.fr> (view parent)
DKIM signature
pass
Download raw message
On 30.04.2020 at 10:10, Simon Ser wrote:> Progress: it seems 1.1.1.1 doesn't see/accept your DNS TXT record. On

> my machine, this works:

>

>     drill TXT rincewind._domainkey.dreamfall.space

>

> But this doesn't:

>

>     drill TXT rincewind._domainkey.dreamfall.space @1.1.1.1

>

> Since 1.1.1.1 is a DNSSEC validating server, maybe there's something

> wrong with your DNSSEC configuration?

>


Tried drill with -TD which walks the authoritative servers

directly, and validates DNSSEC locally:



    drill -TD TXT rincewind._domainkey.dreamfall.space



and it also fails, last line is:



    [B] ;; Error verifying denial of existence for name _domainkey.dreamfall.space.NS: No DNSSEC signature(s)



For an unsigned domain it should be with `[U] ...something...`.



Unfortunately, I don't understand NSEC3 records well enough
to figure out what's wrong here.
Details
Message ID
<C2EKYQAKFLM0.2WDANOVK7N01G@hexx>
In-Reply-To
<1RbDFtkMY781fnjy40QGA6WgoEnXrZfOH6USJX4Y__RxdtEL9LuZy-MiT2sZVk1Y7QU-aEzo47Hm6RglbSAyWHNC8evbKEphuZk1s5A9X3M=@emersion.fr> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
On Thu Apr 30, 2020 at 1:10 AM PDT, Simon Ser wrote:
> On Wednesday, April 29, 2020 8:55 PM, Simon Ser <contact@emersion.fr>
> wrote:
>
> > On Wednesday, April 29, 2020 7:30 PM, Morgan McMillian thrrgilag@dreamfall.space wrote:
> >
> > > I've noticed that emails I send into the mailing lists appear to fail the
> > > DKIM check.
> > > Authntication-Results: mail-b.sr.ht;
> > > dkim=fail reason="key not found in DNS" (0-bit key)
> > > header.d=dreamfall.space header.i=@dreamfall.space header.b=aOuM6fUC
> > > However my DNS from what I can tell is setup correctly and it does pass
> > > elsewhere. Is this something on the sr.ht side not finding the zone for my
> > > domain?
> >
> > Indeed, my own mail server verifies your signature as well, and I can
> > verify it locally too. I'll continue investigating and let you know if
> > I find anything.
>
> Progress: it seems 1.1.1.1 doesn't see/accept your DNS TXT record. On
> my machine, this works:
>
> drill TXT rincewind._domainkey.dreamfall.space
>
> But this doesn't:
>
> drill TXT rincewind._domainkey.dreamfall.space @1.1.1.1
>
> Since 1.1.1.1 is a DNSSEC validating server, maybe there's something
> wrong with your DNSSEC configuration?

The plot thickens, I don't have DNSSEC setup for this or my other domains.
My providers appear not to support it at this time. So Cloudflare seems to not
like my domains, great.
Details
Message ID
<C2ELBUMF8DGJ.1GM63WSK74F4D@homura>
In-Reply-To
<C2EKYQAKFLM0.2WDANOVK7N01G@hexx> (view parent)
DKIM signature
pass
Download raw message
On Thu Apr 30, 2020 at 2:35 AM PST, Morgan McMillian wrote:
> The plot thickens, I don't have DNSSEC setup for this or my other
> domains.  My providers appear not to support it at this time. So
> Cloudflare seems to not like my domains, great.

FWIW I've been moving us away from 1.1.1.1 (it's not very reliable) and
back to 8.8.8.8. I just did this to the mail server as well, so maybe
this'll "fix" itself?
Details
Message ID
<l71STloV-sNwKlxUT-pB3YOpJZkyV6ZY16zKS-NZGkFoBO4s9t4WfowAa99SRAvZr8UhHwIJ87IEAB_zCe-NdP72VbeGM-Vk05Z-A_02oeM=@emersion.fr>
In-Reply-To
<C2ELBUMF8DGJ.1GM63WSK74F4D@homura> (view parent)
DKIM signature
pass
Download raw message
On Thursday, April 30, 2020 3:52 PM, Drew DeVault <sir@cmpwn.com> wrote:

> On Thu Apr 30, 2020 at 2:35 AM PST, Morgan McMillian wrote:
>
> > The plot thickens, I don't have DNSSEC setup for this or my other
> > domains. My providers appear not to support it at this time. So
> > Cloudflare seems to not like my domains, great.
>
> FWIW I've been moving us away from 1.1.1.1 (it's not very reliable) and
> back to 8.8.8.8. I just did this to the mail server as well, so maybe
> this'll "fix" itself?

Yes, 8.8.8.8 doesn't have this issue.
Details
Message ID
<cdcd9169-dd55-df71-3dc9-08617c1dfefc@federated.id>
In-Reply-To
<C2DVC56U0UJ8.27N40WXPIN7LN@hexx> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
On 4/29/20 7:30 PM, Morgan McMillian wrote:
> I've noticed that emails I send into the mailing lists appear to fail the
> DKIM check.
> 
> Authntication-Results: mail-b.sr.ht;
>     dkim=fail reason="key not found in DNS" (0-bit key)
>     header.d=dreamfall.space header.i=@dreamfall.space header.b=aOuM6fUC
> 
> However my DNS from what I can tell is setup correctly and it does pass
> elsewhere. Is this something on the sr.ht side not finding the zone for my
> domain?
> 

Hi, I seem to have a similar issue with my domain (federated.id).

I'm using purelymail as a mail provider and the DKIM entries are
configured correctly on Cloudflare to point to it[1] (to the best of my
knowledge).


Do you guys have any ideas?

Cheers,

/Marius

[1] dig +short txt purelymail{1,2,3}._domainkey.federated.id
okey1._dkimroot.purelymail.com.
"v=DKIM1; k=rsa; t=sy;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+X8GZT7cjSI8ENTrOusbdQGlYYebOydfM6xCZC05aWY9nw7oaLJZQoRNgZbqU/aZmDzLoDM/tOm/RZzj82KyRhikLjirlEo5bJmVaW/NNiT+poIQ9Q7gyVeZOnJKlzLdWbRQ6wo6O+ZLfCqdnfihfAFjJpdp4fMqwRgKEGy1XvRmNbHiYmCkLR"
"OtbJvqVBgXx+jnExR91jTIGugXUfKu+VjZmsrAli0HZPTt4i6TWOC+6GXQWrk7WTekgHow2r+cJMnwM9KcgjPsXKl5yBFJ2XfkP0/NUijjETJwcwDNLk/gCT5U7Fr8kuZxMTlUIXl0OHO5ZiUZWelmNG3SqWo9bQIDAQAB"
key2._dkimroot.purelymail.com.
"v=DKIM1; k=rsa; t=sy;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9F9uIi3a/1DMJyPdBZs6JcSQ98T2Ys05AREM3pJBaI1x7d8MZbqCGzkZe4W0gXKSHWL8W1hZfOOIGOJSa4H4QBpSj2AasIVgtxtKYcCILMGyBMdR56vXjGyYEr1k3OV8KcqaAmGcXfBNRmuJG2jvtw9hkcyzkMXjz+YG+7q53XUNd7D9Z+vNg+"
"DktrSM7no5y8NhODzd7SxgfmwiottgX4/+TfKa2OxnUB4MI2jwiF1LB2w70coDCya164DiDGzI91Fd8DjI1Jy3Iyg/VCg61+SvTLRIdfXFk4IQM/os6tZ4eLHMYiZLLvz6WR2xzpltY8oNjyyoEXpoZOzBniFn0QIDAQAB"
key3._dkimroot.purelymail.com.
"v=DKIM1; k=rsa; t=sy;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmIcIc4fNAWT3O7dvw0rTOYOUamk83AHcXs20aRLASX61prq7ZGqvXgm9PxMcdBzf73Sou1rHirfERQgQkcSDlwN85//hFG1iFWhGrcbIXWtZWTjEKcMBBJvw5Mj4jRrqNUX5cWEDtwZeTiyDH2flr//qr8LA5r4VMPC5M2x/wG+JaKYLVBMEuN"
"JRT/Gn1LVQbHrWS/5PCytYovTYQd4dbDxKHWiRJTY+NlFaBzvtrYJx28Ibtec0DBK3KXKtNEuO9vNGolhdvSFxE2AYchKP6uLi4ePqEb784sm2MyKEdVQIaVGbJ3KDZsH9ouvHiz1/ubxApnQQ/P02pTMye9JplwIDAQAB"
Details
Message ID
<jSUzLOdI2Y8EZkSWddFG88ecUTu_wz0BfJg2x4quT5blO3dqZD5zPwlnIez8UmfisSiUbABqzzSOdrRyWMvg2wVP4uX5trTyGnwWAlvKqVM=@emersion.fr>
In-Reply-To
<cdcd9169-dd55-df71-3dc9-08617c1dfefc@federated.id> (view parent)
DKIM signature
pass
Download raw message
Yup, seems to be the same issue. This succeeds:

    drill txt purelymail1._domainkey.federated.id

But this fails:

    drill txt purelymail1._domainkey.federated.id @1.1.1.1
Details
Message ID
<02ee7b9e-f044-4a91-10f2-d2aa69637d61@federated.id>
In-Reply-To
<jSUzLOdI2Y8EZkSWddFG88ecUTu_wz0BfJg2x4quT5blO3dqZD5zPwlnIez8UmfisSiUbABqzzSOdrRyWMvg2wVP4uX5trTyGnwWAlvKqVM=@emersion.fr> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
On 5/21/20 10:18 AM, Simon Ser wrote:
> Yup, seems to be the same issue. This succeeds:
> 
>     drill txt purelymail1._domainkey.federated.id
> 
> But this fails:
> 
>     drill txt purelymail1._domainkey.federated.id @1.1.1.1
> 

Damn you cloudflare!

*wiggles fist at the sky*

I thought I saw earlier in the discussion that Drew moved away from it
as a DNS resolver? Any idea why it's still happening?

/Marius
Details
Message ID
<GkbY6uoijKEN9_SGMxmoNQY5bY8Onyse2ecFHhrVonhllmWNuDpfBSz2pzZ7EoAYbTfLEbiBBvVrLvoT-rzHavo6yOvDur8nvHIAx8Nog9c=@emersion.fr>
In-Reply-To
<02ee7b9e-f044-4a91-10f2-d2aa69637d61@federated.id> (view parent)
DKIM signature
pass
Download raw message
Hmm, the DNS server for sr.ht's email server is now changed, but DKIM
will still fail. Your record cannot be retrieved via Google's public
DNS server:

    drill txt purelymail1._domainkey.federated.id @8.8.8.8

This fails for me.
Details
Message ID
<dO1qAVppufYf2A2SYzzSBadoG_cqDZNDGaTtNzxWPfIu3ZnPapYJ3-vYTFRhBxVfwvk0LeF0on86p2kPDKH51vWAGVHkpex2sp9wGSYvc0w=@emersion.fr>
In-Reply-To
<GkbY6uoijKEN9_SGMxmoNQY5bY8Onyse2ecFHhrVonhllmWNuDpfBSz2pzZ7EoAYbTfLEbiBBvVrLvoT-rzHavo6yOvDur8nvHIAx8Nog9c=@emersion.fr> (view parent)
DKIM signature
pass
Download raw message
On Thursday, May 21, 2020 4:06 PM, Simon Ser <contact@emersion.fr> wrote:

> Hmm, the DNS server for sr.ht's email server is now changed, but DKIM
> will still fail. Your record cannot be retrieved via Google's public
> DNS server:
>
> drill txt purelymail1._domainkey.federated.id @8.8.8.8
>
> This fails for me.

Scratch that, it's just that the key is pretty long and gets split into
two DNS messages it seems. For some reason querying via UDP doesn't
work for me:

;; WARNING: The answer packet was truncated; you might want to
;; query again with TCP (-t argument), or EDNS0 (-b for buffer size)

And with TCP it works correctly.
Details
Message ID
<C2WGTNN33QDP.258JPWALFT1RX@homura>
In-Reply-To
<dO1qAVppufYf2A2SYzzSBadoG_cqDZNDGaTtNzxWPfIu3ZnPapYJ3-vYTFRhBxVfwvk0LeF0on86p2kPDKH51vWAGVHkpex2sp9wGSYvc0w=@emersion.fr> (view parent)
DKIM signature
pass
Download raw message
On Thu May 21, 2020 at 10:08 AM PST, Simon Ser wrote:
> Scratch that, it's just that the key is pretty long and gets split into
> two DNS messages it seems. For some reason querying via UDP doesn't
> work for me:

This is a common problem with some public DNS providers. You need to use
a shorter key, or host your own DNS.
Details
Message ID
<5c31393f-639e-89ec-3294-53fc81b3191a@federated.id>
In-Reply-To
<dO1qAVppufYf2A2SYzzSBadoG_cqDZNDGaTtNzxWPfIu3ZnPapYJ3-vYTFRhBxVfwvk0LeF0on86p2kPDKH51vWAGVHkpex2sp9wGSYvc0w=@emersion.fr> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
On 5/21/20 4:08 PM, Simon Ser wrote:
> Scratch that, it's just that the key is pretty long and gets split into
> two DNS messages it seems. For some reason querying via UDP doesn't
> work for me:
> 
> ;; WARNING: The answer packet was truncated; you might want to
> ;; query again with TCP (-t argument), or EDNS0 (-b for buffer size)
> 
> And with TCP it works correctly.
> 

I don't think the length is the issue.



The actual DNS entry for my server is a CNAME pointing to purelymail's
TXT entry for the DKIM key.



It's possible that you need 2 UDP requests because the resolver needs
first to get the CNAME, and then from it the TXT entry with the DKIM value.



If the problem was with just the *length* of the response, I feel like
querying the TXT record on purelymail, would have failed too:



drill txt key1._dkimroot.purelymail.com @8.8.8.8

key1._dkimroot.purelymail.com.	3463	IN	TXT	"v=DKIM1; k=rsa; t=sy;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+X8GZT7cjSI8ENTrOusbdQGlYYebOydfM6xCZC05aWY9nw7oaLJZQoRNgZbqU/aZmDzLoDM/tOm/RZzj82KyRhikLjirlEo5bJmVaW/NNiT+poIQ9Q7gyVeZOnJKlzLdWbRQ6wo6O+ZLfCqdnfihfAFjJpdp4fMqwRgKEGy1XvRmNbHiYmCkLR"
"OtbJvqVBgXx+jnExR91jTIGugXUfKu+VjZmsrAli0HZPTt4i6TWOC+6GXQWrk7WTekgHow2r+cJMnwM9KcgjPsXKl5yBFJ2XfkP0/NUijjETJwcwDNLk/gCT5U7Fr8kuZxMTlUIXl0OHO5ZiUZWelmNG3SqWo9bQIDAQAB"

;; Query time: 71 msec

;; SERVER: 8.8.8.8

;; WHEN: Thu May 21 16:16:22 2020

;; MSG SIZE  rcvd: 477



Maybe the library used for loading the DKIM keys isn't doing this DNS
chaining correctly? Where is this happening in the code?



Cheers,

/Marius
Details
Message ID
<e6eb8943-a4a4-cc3c-6024-e9b4f5f446b8@federated.id>
In-Reply-To
<5c31393f-639e-89ec-3294-53fc81b3191a@federated.id> (view parent)
DKIM signature
pass
Download raw message
On 5/21/20 4:20 PM, Marius Orcsik wrote:
> On 5/21/20 4:08 PM, Simon Ser wrote:
>> Scratch that, it's just that the key is pretty long and gets split into
>> two DNS messages it seems. For some reason querying via UDP doesn't
>> work for me:
>>
> 
> I don't think the length is the issue.
> 

I think I was right.

> 
> If the problem was with just the *length* of the response, I feel like
> querying the TXT record on purelymail, would have failed too:
> 

So I have added complementary TXT records with the exact value
purelymail has for its keys and now the DKIM validation seems to be working.

However I don't feel like this is an optimal solution, as I will not
know when they update their keys.

Should I open a ticket for this?

Cheers,
/Marius
Reply to thread Export thread (mbox)