verify failed for dnssec enabled senderdomain

From: Andreas Schulze <sca_at_andreasschulze.de>
Date: Mon, 22 Nov 2010 21:51:04 +0100

hi

I have this setup:

sender opendkim-2.2.1
receiver opendkim-2.2.2

senderdomain is dnssec enabled
recipient system is dnssec ready: (fec0::1 is a local unbound resolver)
# dig _at_fec0::1 2009._domainkey.t-isa.de. txt +dnssec

; <<>> DiG 9.6-ESV-R1 <<>> _at_fec0::1 2009._domainkey.t-isa.de. txt +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53811
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;2009._domainkey.t-isa.de. IN TXT

;; ANSWER SECTION:
2009._domainkey.t-isa.de. 262 IN TXT "v=DKIM1\;h=sha256\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXqT6jrgr2qSGWnDu36Y/sVsAfUfwbk9asiUCfZ3cq5cU3/bWNs6jNOyirr59uhRrfNvXl" "5B+iwMrilAxlT6l2baTwc02OqYAo0m3Or1rTu1Hq+yt2TysAiTEg+ZScde6t/hBcDwrSLHCfMN69diJ5S3g5VKkUakWNpCEQJfJr/QIDAQAB"
2009._domainkey.t-isa.de. 262 IN RRSIG TXT 7 4 300 20101207152121 20101109152121 47948 t-isa.de. pSUSxVnZE45ce25XNlLayTmlRaIP1WwGt7qGRRuSuMzRl7qh313ZVv9z Dr9HaYjvim1GDu+dR0enCumzlFcQgJrvQ0fGbaJ5/G3vHjyw8MS4CF8n ZjrC7K+8US1waDswTDLcC7vXAOK+Fv7+ajMNEN2n3jrl7Aq8gahmbnL4 5tA=

;; AUTHORITY SECTION:
t-isa.de. 85616 IN NS nsd01.t-isa.de.
t-isa.de. 85616 IN NS nsd02.t-isa.de.
t-isa.de. 85616 IN RRSIG NS 7 2 86400 20101207152121 20101109152121 47948 t-isa.de. Ww+YCwW9BRcc5E8d7cBvgaIlQGP4MUwShxXuI/ieURZDfeF8ZcbMM7Dl amnYGTmUJTd7QvnhX62XysrLeByJsBvTUzlDW+YuNkwUb5OmJvv2T6Ir aLEYaWiZCzVHGzQ4Ho7fV6a1vxUvupppH8XfasoYM7HQQCGWaE7RAPyx dfw=

;; ADDITIONAL SECTION:
nsd01.t-isa.de. 262 IN A 193.27.50.9
nsd02.t-isa.de. 262 IN A 193.27.54.9
nsd01.t-isa.de. 262 IN RRSIG A 7 3 300 20101207152121 20101109152121 47948 t-isa.de. U1mppFm9tCH0IX4XWHSZg5IsXrYUrat1RsfR6/jZZCwmfXiA4BJiC75p d6TL8LCPUkPpet3w4l8TSWQ4+Vqp1/MclNU6hXqp+hzW/NbCy5Ym6OM7 7fKgIqu02biNjMCd89ufFjfnL3OSE1FmNL+ARECvEWlpX5P97Er5Lg3y eP8=
nsd02.t-isa.de. 262 IN RRSIG A 7 3 300 20101207152121 20101109152121 47948 t-isa.de. hAUqtb5Em4EGz1E9hQPWeq1mEWdVr4SvOCq2QDo8+NEEF209LwtCRKyw G3qn5uEVXFvmhO+9P7iD2DnKQdnnvMCrP64o1OcFb7fA/HzNlbVE8/Sa nGWQz2i80StUkBSEjgq1z01lagN97JibMKl+xVn940EMa/VNU9LwTOJX cW4=

;; Query time: 3 msec
;; SERVER: fec0::1#53(fec0::1)
;; WHEN: Mon Nov 22 21:40:22 2010
;; MSG SIZE rcvd: 1046

Resolver _at_ receiver is unbound, DS of t-isa.de is attached

opendkim failed to verify but inserts this Authentication-Results Header:
Authentication-Results: 9645f8.dyndns.org/3432BFEB8; dkim=permerror
        (verification error: multiple DNS replies for
        `2009._domainkey.t-isa.de'; insecure key) header.i=_at_t-isa.de
        header.b=ZrcD7FFu; dkim-adsp=none (insecure policy)

Logging shows only
Nov 22 21:29:31 taro opendkim[23410]: 3432BFEB8: no MTA name match
Nov 22 21:29:31 taro opendkim[23410]: 3432BFEB8: mailout01.t-isa.de [193.27.54.76] not internal
Nov 22 21:29:31 taro opendkim[23410]: 3432BFEB8: not authenticated
Nov 22 21:29:32 taro amavis[21506]: (21506) dkim: VALID Author+Sender+MailFrom signature by d=t-isa.de, From: <sca_at_t-isa.de>, a=rsa-sha256, c=relaxed/simple, s=2009, i=_at_t-isa.de

As expected: amavis is able to verify the signature.
If I disable dnssec at the receiver system, opendkim can verify the mail.

I do not think, this is specific to 2.2.2
But I have no plan to debug this!
Ideas ???

taro:/etc/postfix# opendkim -V
opendkim: OpenDKIM Filter v2.2.2
        Compiled with OpenSSL 0.9.8g 19 Oct 2007
        SMFI_VERSION 0x1000001
        libmilter version 1.0.1
        Supported signing algorithms:
                rsa-sha1
                rsa-sha256
        Supported canonicalization algorithms:
                relaxed
                simple
        Active code options:
                USE_DB
                USE_UNBOUND
                _FFR_ADSP_LISTS
                _FFR_BODYLENGTH_DB
                _FFR_CAPTURE_UNKNOWN_ERRORS
                _FFR_DIFFHEADERS
                _FFR_DKIM_REPUTATION
                _FFR_IDENTITY_HEADER
                _FFR_REDIRECT
                _FFR_REPORT_INTERVALS
                _FFR_SENDER_MACRO
                _FFR_STATS
                _FFR_STATS_I
        libopendkim 2.2.2: diffheaders dkim_reputation parsetime debug


Thanks
Andreas

-- 
########################################################################
#
# Andreas Schulze
# https://andreasschulze.de
# 
# GnuPG Key-ID: A7DBA67F, https://andreasschulze.de/sca.asc
# GnuPG Fingerprint: 14C1 39A8 CE6D 6BE0 28C6 5652 03B5 6793 A7DB A67F
#
# $Id: .signature,v 1.3 2007-12-27 21:13:36 sca Exp $
########################################################################

Received on Mon Nov 22 2010 - 20:51:24 PST