Page 1 of 1


Posted: 25 Feb 2014, 10:43
by nessys

I'm not sure if this topic belongs to PowerDNS or SoluteDNS module category, however...

=== SPF ===
I'm unable to make SPF and DKIM to work properly. Using the old module (OpenSRS) we had SPF as a regular TXT record. Now I can see SPF as different type I'm trying both as TXT and SPF... it gets replicated in MySQL backend but when I try to resolve it publicly, nothing happens even waiting over 24/48 hours (TTL is 1 hour):

Record: <domain> SPF v=spf1 a mx ptr ~all

When trying to resolve it:
pacoAIR:~ paco$ dig SPF

; <<>> DiG 9.8.3-P1 <<>> SPF
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26846
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0


;; Query time: 3365 msec
;; WHEN: Tue Feb 25 10:36:23 2014
;; MSG SIZE rcvd: 27

==== DKIM ====
Same problem, it gets replicated from WHMCS to the MySQL backend but when I check publickly nothing happens.

Record: google._domainkey TXT v=DKIM1; k=rsa; p={...}

{...} <-- long DKIM key goes here

Could you let me know what I'm doing wrong?

Kind regards

Re: SPF and DKIM

Posted: 25 Feb 2014, 14:17
by Daniel
I have tested it whit: IN TXT v=spf1 a mx ip4: ~all

which gave no problems.

Have you enabled dnssec?

Re: SPF and DKIM

Posted: 26 Feb 2014, 10:44
by nessys
Hi Daniel,

I had dnssec enabled earlier just to evaluate this feature but currently it is not in use:

Do you mean that this could be an issue? I can see in system status something related:

DNSsec auto rectify INACTIVE (Please see: Manual: Automated rectification)
Turnover table 3 zones in table
Version 0.1.2

I'm checking now the documentation and I should have a feature called "Reset Security"

---- snippet ----
To remove all current zone keys and pre-signed settings and reset them to the default use this function. Current keys will be renewed.
---- / snippet ----

But can't find such option.

BTW SSH details under DNSSEC are currently blank, should I allow SSH access again to get rectified the zones affected?


Re: SPF and DKIM

Posted: 26 Feb 2014, 12:17
by Daniel
Regardless to the SoluteDNS settings, is DNSsec still enabled on your PowerDNS server?

The Reset Security button will only appear in the admin zone management when DNSsec is enabled.

If DNSsec is enabled zones require rectification. SoluteDNS does this by adding zones which are changed to a queue. On each rectify-cron run it will clear the queque and rectify all zones in it.

If you login to ssh and enter:

Code: Select all

pdnssec rectify-zone

The zone will be rectified by PowerDNS, and you could now check if the concerning records start to work.

Re: SPF and DKIM

Posted: 28 Feb 2014, 11:34
by nessys
Hi Daniel,

I followed your steps, logged in to the DNS machine and issued the command, but the output is:

[root@dns3 ~]# pdnssec rectify-zone
Non DNSSEC zone, only adding empty non-terminals

So, no way to identify the root problem.

Any other clue? Otherwise I would consider re-create entirely the zone... I but for this domains I have 65 records so it is quite time consuming :(

Any clue where to look next?

Kind regards

Re: SPF and DKIM

Posted: 28 Feb 2014, 12:48
by Daniel
I've send you an mail for further debugging. Please review your mailbox.

Re: SPF and DKIM

Posted: 28 Feb 2014, 22:50
by nessys
Thanks for your kind assistance Daniel,

followed your email instructions and the problem seems to be resolved.

If it helps here we have the fix:

---For both DKIM and SPF issues---

I was missing <domain> tag for name field and double quotes in the content field -> Corrected and working.

Note: [Only SPF] it only works selecting TXT instead SPF Type in the drop-down menu (seems to be a bug). I've found that SPF can be added if you don't use double quotes but doing so the entry syntax is invalid, in the meantime I've set SPF as TXT type record instead.

Thanks ;)

Re: SPF and DKIM

Posted: 28 Feb 2014, 23:27
by Daniel
No problem at all, you’re welcome!

SPF record entries failing to add to the zone has been filed under bug report #182.

In the client area the system will add the zone name either way, however in the admin it does require the <domain> tag. It should however return an validation error as the zone name is missing, which it obviously did not. Filed as bug report #183.

In this case the empty records also showed up which are added by PowerDNS if dnssec is enabled and an non-dnssec zone gets rectified. I’m not sure which versions of PowerDNS show this behaviour but at least the latest release3.3.1 does this. Currently only one empty record will be added. There is at this time no point of deleting it as it will be recreated after each rectification.