[exim] Failing for DNSSEC lookup

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Christian Eyrich
Datum:  
To: exim-users
Betreff: [exim] Failing for DNSSEC lookup
Hi there,

my exim installation is failing when I try forcing DNSSEC for DANE using
"dnssec_require_domains" for any domain.

I tried to solve this riddle but failed, so I ask you to please solve it
for me or give me hints what I can try to further debug it. Following
are the informations I already have.


Example from "exim -bd -d-all+route+transport+dns" when forced in the
router:

--------> dnslookup_secure router <--------
local_part=dnssectest1 domain=mailbox.org
checking domains
R: dnslookup_secure for dnssectest1@???
calling dnslookup_secure router
dnslookup_secure router called for dnssectest1@???
domain = mailbox.org
DNS lookup of mailbox.org (MX) succeeded
dnslookup_secure router: defer for dnssectest1@???
message: host lookup done insecurely
added retry item for R:dnssectest1@???: errno=-1 more_errno=0
flags=0
LOG: MAIN
== dnssectest1@??? R=dnslookup_secure defer (-1): host lookup
done insecurely

or if forced in the transport:

routed by dnslookup_secure router
envelope to: dnssectest1@???
transport: remote_smtp_secure
host mx2.mailbox.org [2001:67c:2050:104:0:2:25:1] MX=10 dnssec=no
host mx1.mailbox.org [2001:67c:2050:104:0:1:25:1] MX=10 dnssec=no
host mx2.mailbox.org [80.241.60.215] MX=10 dnssec=no
host mx1.mailbox.org [80.241.60.212] MX=10 dnssec=no
host mx3.mailbox.org [2001:67c:2050:104:0:3:25:1] MX=20 dnssec=no
host mx3.mailbox.org [80.241.60.216] MX=20 dnssec=no
host mx-n.mailbox.org [91.198.250.17] MX=50 dnssec=no


DNS server used is a system local installation of unbound which to my
knowledge works and validates correctly, e.g.

chris@momos:~$ unbound-host -vDr mailbox.org
mailbox.org has address 80.241.60.194 (secure)
mailbox.org has IPv6 address 2001:67c:2050:106::443:194 (secure)
mailbox.org mail is handled by 10 mx1.mailbox.org. (secure)
mailbox.org mail is handled by 50 mx-n.mailbox.org. (secure)
mailbox.org mail is handled by 20 mx3.mailbox.org. (secure)
mailbox.org mail is handled by 10 mx2.mailbox.org. (secure)


For exim it doesn’t matter if dns_dnssec_ok = 1 is set or not in exim4.conf.

Configuration: exim 4.94.2 on Debian Bullseye, GnuTLS 3.7.1

Best regards,
Christian