Re: [exim] DKIM pubkey_dns_syntax

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] DKIM pubkey_dns_syntax
On 03/12/17 07:45, Torsten Tributh via Exim-users wrote:
> in the last weeks, i see an increasing amount of DKIM errors,
> mentioning an (pubkey_dns_syntax) error.
>
> Here is just a single sample:
> 2017-12-02 20:10:15.090 [23827] 1eLDB0-0006CJ-W4 DKIM: d=fohrmann.com
> s=newsletter2go c=simple/simple a=rsa-sha256 b=1024 [invalid - syntax
> error in public key record]
>
> When checking the DKIM-key by hand:
>
> dig +short TXT newsletter2go._domainkey.fohrmann.com
> "v=spf1 mx a include:spf.nl2go.com -all"
> "v=DKIM1; k=rsa;
> p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOicsJWjGF90epzxL+IpdHMLCrPTdUpWhYV6o6LgIhidD1DdofDGxqkCZ671sdwh4drVtIMHn6Ojm1uabRYoa3QeiHJ5Sz90X3KMKH6z4GI3h4y9+2Ov9g7aQ7VCYuKxcRCD7ZGKUhiBcFZZkU+cRlx1pdFPkX8+AXM19JbJKcQIDAQAB;"
>
> it turned out, that their is beside the DKIM-key an extra SPF-record.
> Could that be the reason for the "(pubkey_dns_syntax)" in the log?
> When i look "only" at the DKIM-key it looks correct.
>
> Is that an error, getting confused from extra DNS settings in DKIM-Key
> checking, or should we blame the persons, who start to put
> SPF-records in unusual places?


If I understand SPF correctly the spf record should have been on the
example.com domain (? fohrmann.com ? newsletter2go.fohrmann.com ?)
so they have that wrong.

As far as DKIM goes, newsletter2go._domainkey.fohrmann.com is the
right place for the record. RFC 6376 says (section 6.1.2):

   4.  If the query for the public key returns multiple key records, the
       Verifier can choose one of the key records or may cycle through
       the key records, performing the remainder of these steps on each


It's therefore legitimate (in standards-lawyer terms) to take the first
TXT RR, find it fails validation, and give up. I'm assuming here that
your "dig" output is showing two separate RRs; were they two strings in
a single RR (I don't know if that can happen, but there's wording in the
DKIM RFC implying so) then we should be concatenating the strings to
get a dkim record to validate, and that will certainly not be valid.

So, would it be more useful for exim to "cycle through the key records"
per the alternate RFC permitted action? Probably, yes. Raise a
wishlist-level bug if you're interested in that.


(I've not actually looked to see what the code does when hit with that
DNS content. Debug output would be a start.)

--
Cheers,
Jeremy