CMU NetReg Problem.
Allan E. Johannesen
aej at WPI.EDU
Sat Jun 6 23:00:50 UTC 2009
Asking a CMU NetReg question on a BIND list must seem strange. The problem is
that my DNS server is a slave of a CMU NetReg one.
When I tried testing dkim at sendmail.org, this was my reply:
Authentication System: DomainKeys Identified Mail
Result: DKIM signature confirmed BAD
Description: Unrecoverable error during processing; signature data cannot be verified
Reporting host: sendmail.net
More information: http://mipassoc.org/dkim/
Sendmail milter: https://sourceforge.net/projects/dkim-milter/
This was the detail:
X-DKIM: Sendmail DKIM Filter v2.8.2 sendmail.net n55JHZVl074621
Authentication-Results: sendmail.net; dkim=permerror
(verification error: multiple DNS replies for `_dkim._domainkey.wpi.edu')
The problem appears to be the extra TXT entry that netreg installs.
Since that test, I see that our _dkim record has been removed, but this is an
example from _domainkey.wpi.edu:
_domainkey.wpi.edu. 86400 IN TXT "k=rsa\; t=y\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALtjFbur0WaFMnhjbVHl1zLnFa9Y8iiPZHdofXXJ4n/0BHAskHiCxh8I4Ecyij83/EjhswDWjI9fT/3b4XcUXpb0En2VvZT3omZaMNt0SeS1lKsHSmHrWL8MosF5eOyunwIDAQAB"
_domainkey.wpi.edu. 86400 IN TXT "[NRDR" "41444_IN_TXT_" "k=rsa\;.t=y\;.p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALtjFbur0WaFMnhjbVHl1zLnFa9Y8iiPZHdofXXJ4n/0BHAskHiCxh8I4Ecyij83/EjhswDWjI9fT/3b4XcUXpb0En2VvZT3omZaMNt0SeS1lKsHSmHrWL8MosF5eOyunwIDAQAB" "5iehLmag+eiixgnIZLgl/Q]"
The _dkim entry similarly had the extra "bracketed" TXT data. There's tons of
those TXT records in DNS; maybe half the zone.
The first record, above, is properly formed. The second record is, I guess,
supposed to be ignored. It doesn't seem to be ignored in the sendmail test of
dkim. The order of the answers is not guaranteed, of course.
I've asked a question on the NetReg mailing list and got a solution of
modifying NetReg, which I'd certainly prefer, but the guy who runs NetReg at
WPI says we need to have those ugly TXT records in it. Or, rather, he needs
the ugly records in his DNS, and the campus DNS is a slave of it.
So, my question is whether it is at all possible to stop bind from serving that
extra TXT record?
I was thinking that if our servers wouldn't give the  records out as answers,
it would solve things. I'm sure it's a design goal of BIND to accurately
reflect the data and I'll probably be attacked for perverting its purity by
However, I'd appreciate any help in finding out where to attack the problem in
the BIND source tree. Is it best done in service of the records?
Perhaps it's better to somehow filter the records out before they get into the
campus DNS in the transfer from the NetReg master.
In either case, if anyone can point me to the modules involved, I'd appreciate
it. Is there a BIND internals document that could help?
Thanks for any advice anyone can provide.
More information about the bind-workers