Problem resolving a domainkey TXT record

Danilo Godec danilo.godec at agenda.si
Fri Dec 13 14:53:45 UTC 2024 

Hello,


I recently noticed that emails from somewhat trustworthy organization 
don't have a valid DKIM signature - or rather, my email client can't 
verify them, because there is a timeout resolving the domainkey record.


Testing this with 'dig' confirms the problem:

> dig txt eulisa._domainkey.eulisa.europa.eu
;; communications error to 172.16.0.35#53: timed out

; <<>> DiG 9.18.28 <<>> txt eulisa._domainkey.eulisa.europa.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55417
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: d6eea8bdf879508b01000000675c30a8e779768fc9685289 (good)
;; QUESTION SECTION:
;eulisa._domainkey.eulisa.europa.eu. IN TXT

;; Query time: 4992 msec
;; SERVER: 172.16.0.35#53(172.16.0.35) (UDP)
;; WHEN: Fri Dec 13 14:03:36 CET 2024
;; MSG SIZE  rcvd: 91


However, resolving other TXT records for the domain works normally:

> dig txt eulisa.europa.eu

; <<>> DiG 9.18.28 <<>> txt eulisa.europa.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35151
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1c40aaf791d3d85d01000000675c30c1a34364fc3a09684c (good)
;; QUESTION SECTION:
;eulisa.europa.eu.              IN      TXT

;; ANSWER SECTION:
eulisa.europa.eu.       300     IN      TXT     "MS=ms83963822"
eulisa.europa.eu.       300     IN      TXT     "v=spf1 mx ip4:195.80.109.244 ip4:195.80.109.246 ip4:185.78.44.242 ip4:185.78.44.243 ip4:185.7.39.180 ip4:213.32.127.167 ip4:213.32.127.168" " ip4:51.254.189.37 ip4:194.126.110.37 ip4:212.234.189.164 a:smtp-out.fingerprint.fr include:_spf.tech.ec.europa.eu include:spf.protection.outlook.com -all"
eulisa.europa.eu.       300     IN      TXT     "atlassian-domain-verification=IAbzEpJrPKAGpbastIH07G8kB/zM1meGcRNejgMYZsby1d0k7VwnPjDu6eGVLbqT"
eulisa.europa.eu.       300     IN      TXT     "MS=ms12401514"
eulisa.europa.eu.       300     IN      TXT     "apple-domain-verification=z8I34fLchFm3RjgN"

;; Query time: 204 msec
;; SERVER: 172.16.0.35#53(172.16.0.35) (UDP)
;; WHEN: Fri Dec 13 14:04:01 CET 2024
;; MSG SIZE  rcvd: 593


I tried resolving the domainkey with Google and other DNSs and it seems 
to work.

As far as I could find so far, the problem manifests itself only on my 
location, where I have three named servers - two are version 9.18.28 
while one is 9.16.37. I also have a 4th one on a different location and 
it's even older (9.11.4), but this one does resolve the domain key:

> dig txt eulisa._domainkey.eulisa.europa.eu @dns4.elasticbox.eu

; <<>> DiG 9.18.28 <<>> txt eulisa._domainkey.eulisa.europa.eu @dns4.elasticbox.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9239
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2b312991c2683e34f941a13f675c47654032168d65401367 (good)
;; QUESTION SECTION:
;eulisa._domainkey.eulisa.europa.eu. IN TXT

;; ANSWER SECTION:
eulisa._domainkey.eulisa.europa.eu. 3462 IN TXT "v=DKIM1;  p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1XVPzcIhCuMinLW2oceuhuqpGRxpX3koW2cV7ZGUzCnO+G0Xw6611ZMLT+Sk6313k0zVbwsL8Fnrbt+guvdqzx3Zh23chNZ24+ExN8Fhlb7XK0F7PqEH7pdJ1GAuraBJQmNviPiV64epsYu5gbiP8Aol16AcTCw1UvAG8xD4gQL2bXg52i5ucq2pRhEd9jbz1nc6gLA" "tcTwlSWVjlw6gu0+FzQ3DvhoCeMR8u6uOZx1GyWMX0YZRXEm9s8a2A1+mlD9l7+ypQWsyl1RiOI/RV5druI3mEuxPn1/pzyO7bbroZXcFOjz4B5Z9iRqtXoEZRhYIS8zScCKy+k8T8gGyWwIDAQAB;"

;; AUTHORITY SECTION:
eulisa.europa.eu.       3462    IN      NS      nssxb.eulisa.europa.eu.
eulisa.europa.eu.       3462    IN      NS      nstll.eulisa.europa.eu.

;; ADDITIONAL SECTION:
nstll.eulisa.europa.eu. 3462    IN      A       194.126.110.49
nssxb.eulisa.europa.eu. 3462    IN      A       212.234.189.180

;; Query time: 40 msec
;; SERVER: 54.229.229.105#53(dns4.elasticbox.eu) (UDP)
;; WHEN: Fri Dec 13 15:40:38 CET 2024
;; MSG SIZE  rcvd: 582


That implies that this might be a network problem, but since all servers 
have a public IP and no NAT, I really cant's imagine why or how.

What diagnostic steps can I do get a better idea of what's going on with 
these queries as far as named is concerned?


       Thanks,

     Danilo



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241213/f5bfa994/attachment.htm>

More information about the bind-users mailing list