Author: Phil Pennock Date: To: exim-announce Subject: [exim-announce] Administrivia: exim.org DNS glitch,
TL;DR: software bug, you might be unsubscribed from Exim mailing-lists,
(especially if you use SpamAssassin), please check and re-enable your
A number of people have been automatically unsubscribed from the
exim-users mailing-list, because their mail-systems were rejecting
legitimate mail. Upon investigation, SpamAssassin was scoring badly for
a DKIM signature made with a key "missing" from DNS.
Further investigation revealed a bug with the tool used for signing DNS
zones, such that on each signing, two (apparently) random records in the
zone had bad signatures and would "disappear" from DNS for those with
validating resolvers. The latest automatic re-signing had happened to
hit the DKIM key d201705._domainkey.exim.org, such that although it
existed in DNS and had worked at the time of DKIM rollover, the latest
time-based re-signing of the zone "removed" it.
The "exim.org" zone is re-signed three times a month, in addition to
when any changes were made, so this breakage was introduced on June 1st.
Installing a newer version of the DNSSEC signing tool from upstream
source has resolved the issue. I have filed a bug-report for the OS
package. The validation tool I've found which catches this is great,
but the version packaged by the OS can't handle our zonefile, so I'll
see about installing a newer version of _that_, so that we can
automatically check and catch this in future instead of putting live bad
Mail going out once more has a DKIM key visible in DNS, even to those
validating DNSSEC, so you should be safe to re-enable your subscriptions
if you so desire.
Apologies for the inconvenience,
This message was posted to the following mailing lists: