SPF and DKIM

Post Reply
nessys
Registered
Posts: 10
Joined: 12 Feb 2014, 00:11

Hi,

I'm not sure if this topic belongs to PowerDNS or SoluteDNS module category, however...

=== SPF ===
I'm unable to make SPF and DKIM to work properly. Using the old module (OpenSRS) we had SPF as a regular TXT record. Now I can see SPF as different type I'm trying both as TXT and SPF... it gets replicated in MySQL backend but when I try to resolve it publicly, nothing happens even waiting over 24/48 hours (TTL is 1 hour):

Record: <domain> SPF v=spf1 a mx ptr include:servers.mcsv.net ~all

When trying to resolve it:
pacoAIR:~ paco$ dig SPF nessys.es

; <<>> DiG 9.8.3-P1 <<>> SPF nessys.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26846
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nessys.es. IN SPF

;; Query time: 3365 msec
;; SERVER: 80.58.61.250#53(80.58.61.250)
;; WHEN: Tue Feb 25 10:36:23 2014
;; MSG SIZE rcvd: 27


==== DKIM ====
Same problem, it gets replicated from WHMCS to the MySQL backend but when I check publickly nothing happens.

Record: google._domainkey TXT v=DKIM1; k=rsa; p={...}

{...} <-- long DKIM key goes here

Could you let me know what I'm doing wrong?

Kind regards
User avatar
Daniel
Support
Posts: 207
Joined: 02 Aug 2013, 17:50

I have tested it whit:
example.com IN TXT v=spf1 a mx ip4:192.168.2.1 ~all

which gave no problems.

Have you enabled dnssec?
nessys
Registered
Posts: 10
Joined: 12 Feb 2014, 00:11

Hi Daniel,

I had dnssec enabled earlier just to evaluate this feature but currently it is not in use:
Image

Do you mean that this could be an issue? I can see in system status something related:

DNSsec auto rectify INACTIVE (Please see: Manual: Automated rectification)
Turnover table 3 zones in table
External API Module UNAVAILABLE
Version 0.1.2

I'm checking now the documentation and I should have a feature called "Reset Security"

---- snippet ----
To remove all current zone keys and pre-signed settings and reset them to the default use this function. Current keys will be renewed.
---- / snippet ----

But can't find such option.

BTW SSH details under DNSSEC are currently blank, should I allow SSH access again to get rectified the zones affected?

Regards
User avatar
Daniel
Support
Posts: 207
Joined: 02 Aug 2013, 17:50

Regardless to the SoluteDNS settings, is DNSsec still enabled on your PowerDNS server?

The Reset Security button will only appear in the admin zone management when DNSsec is enabled.

If DNSsec is enabled zones require rectification. SoluteDNS does this by adding zones which are changed to a queue. On each rectify-cron run it will clear the queque and rectify all zones in it.

If you login to ssh and enter:

Code: Select all

pdnssec rectify-zone nessys.es
The zone will be rectified by PowerDNS, and you could now check if the concerning records start to work.
nessys
Registered
Posts: 10
Joined: 12 Feb 2014, 00:11

Hi Daniel,

I followed your steps, logged in to the DNS machine and issued the command, but the output is:

[root@dns3 ~]# pdnssec rectify-zone nessys.es
Non DNSSEC zone, only adding empty non-terminals

So, no way to identify the root problem.

Any other clue? Otherwise I would consider re-create entirely the zone... I but for this domains I have 65 records so it is quite time consuming :(

Any clue where to look next?

Kind regards
User avatar
Daniel
Support
Posts: 207
Joined: 02 Aug 2013, 17:50

I've send you an mail for further debugging. Please review your mailbox.
nessys
Registered
Posts: 10
Joined: 12 Feb 2014, 00:11

Thanks for your kind assistance Daniel,

followed your email instructions and the problem seems to be resolved.

If it helps here we have the fix:

---For both DKIM and SPF issues---

I was missing <domain> tag for name field and double quotes in the content field -> Corrected and working.

Note: [Only SPF] it only works selecting TXT instead SPF Type in the drop-down menu (seems to be a bug). I've found that SPF can be added if you don't use double quotes but doing so the entry syntax is invalid, in the meantime I've set SPF as TXT type record instead.

Thanks ;)
User avatar
Daniel
Support
Posts: 207
Joined: 02 Aug 2013, 17:50

No problem at all, you’re welcome!

SPF record entries failing to add to the zone has been filed under bug report #182.

In the client area the system will add the zone name either way, however in the admin it does require the <domain> tag. It should however return an validation error as the zone name is missing, which it obviously did not. Filed as bug report #183.

In this case the empty records also showed up which are added by PowerDNS if dnssec is enabled and an non-dnssec zone gets rectified. I’m not sure which versions of PowerDNS show this behaviour but at least the latest release3.3.1 does this. Currently only one empty record will be added. There is at this time no point of deleting it as it will be recreated after each rectification.
Post Reply