Re: [exim] DKIM pubkey_dns_syntax

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Sebastian Nielsen
Date:  
À: Torsten Tributh
CC: Exim-users
Sujet: Re: [exim] DKIM pubkey_dns_syntax
I Think the cause of this is due to wildcards.
To protect your domain from a crook who spoofs subdomains, you simply
put a wildcard, so for example *.sebbe.eu is a SPF record.
You can also extend this to *.*.sebbe,eu and so on. And if the
wildcard matches, you will get a "spurious" SPF record with your DKIM
lookup.

So any record that doesn't start with "v=DKIM1" should Always be skipped!
However, an record that does start with v=DKIM1 but contains
syntaxically invalid data, should of course be regarded as invalid.

I did an attempt and it seems that the DNS server fohrmann.com
responds identically to Everything, basically a "catchall" DNS server.
I did the following:

root@linuxlite-desktop:/var/log/exim4# dig +short AAAA
has.this.server.wildcarded.everything.fohrmann.com
2a00:1158:1000:407::cd
root@linuxlite-desktop:/var/log/exim4# dig +short A
has.this.server.wildcarded.everything.fohrmann.com
134.119.2.205
root@linuxlite-desktop:/var/log/exim4# dig +short TXT
has.this.server.wildcarded.everything.fohrmann.com
"v=spf1 mx a include:spf.nl2go.com -all"
"v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOicsJWjGF90epzxL+IpdHMLCrPTdUpWhYV6o6LgIhidD1DdofDGxqkCZ671sdwh4drVtIMHn6Ojm1uabRYoa3QeiHJ5Sz90X3KMKH6z4GI3h4y9+2Ov9g7aQ7VCYuKxcRCD7ZGKUhiBcFZZkU+cRlx1pdFPkX8+AXM19JbJKcQIDAQAB;"
root@linuxlite-desktop:/var/log/exim4#

2017-12-03 8:45 GMT+01:00 Torsten Tributh via Exim-users <exim-users@???>:
> Hi,
> in the last weeks, i see an increasing amount of DKIM errors,
> mentioning an (pubkey_dns_syntax) error.
>
> Here is just a single sample:
> 2017-12-02 20:10:15.090 [23827] 1eLDB0-0006CJ-W4 DKIM: d=fohrmann.com
> s=newsletter2go c=simple/simple a=rsa-sha256 b=1024 [invalid - syntax
> error in public key record]
>
> When checking the DKIM-key by hand:
>
> dig +short TXT newsletter2go._domainkey.fohrmann.com
> "v=spf1 mx a include:spf.nl2go.com -all"
> "v=DKIM1; k=rsa;
> p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPOicsJWjGF90epzxL+IpdHMLCrPTdUpWhYV6o6LgIhidD1DdofDGxqkCZ671sdwh4drVtIMHn6Ojm1uabRYoa3QeiHJ5Sz90X3KMKH6z4GI3h4y9+2Ov9g7aQ7VCYuKxcRCD7ZGKUhiBcFZZkU+cRlx1pdFPkX8+AXM19JbJKcQIDAQAB;"
>
> it turned out, that their is beside the DKIM-key an extra SPF-record.
> Could that be the reason for the "(pubkey_dns_syntax)" in the log?
> When i look "only" at the DKIM-key it looks correct.
>
> Is that an error, getting confused from extra DNS settings in DKIM-Key
> checking, or should we blame the persons, who start to put
> SPF-records in unusual places?
>
> Kind regards Torsten
>
>
> --
> Torsten
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/