Re: verify failed for dnssec enabled senderdomain

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Daniel Black <daniel.subs_at_internode.on.net>
Date: Wed, 24 Nov 2010 20:40:03 +1100

On Tuesday 23 November 2010 08:10:10 Murray S. Kucherawy wrote:
> Is it possible the nameserver is returning the A and the RRSIG in the same
> response, rather than returning them individually in response to different
> queries? That would explain this behaviour.
>
> If this is to be expected, I'll need to modify libopendkim to expect
> RRSIGs as well as TXTs. Currently it only expects one TXT in reply to a
> query, and anything other than that or a CNAME is considered an exception.

$ /usr/sbin/unbound-host -t txt -y 't-isa.de. 3600 IN DS 18459
7 1 9174d68d1e6bb922a4afe6bf98ca7d20c3121fd3' 2009._domainkey.t-isa.de. -d

....
[1290591469] libunbound[7901:0] info: Successfully primed trust anchor <t-
isa.de. DNSKEY IN>
[1290591469] libunbound[7901:0] info: validate(positive): sec_status_secure
[1290591469] libunbound[7901:0] info: validation success <2009._domainkey.t-
isa.de. TXT IN>
2009._domainkey.t-isa.de. has TXT record
"v=DKIM1;h=sha256;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXqT6jrgr2qSGWnDu36Y/sVsAfUfwbk9asiUCfZ3cq5cU3/bWNs6jNOyirr59uhRrfNvXl"
""
"5B+iwMrilAxlT6l2baTwc02OqYAo0m3Or1rTu1Hq+yt2TysAiTEg+ZScde6t/hBcDwrSLHCfMN69diJ5S3g5VKkUakWNpCEQJfJr/QIDAQAB"

DNSSEC looks fine here. Try from your receiver machine.
Received on Wed Nov 24 2010 - 09:35:10 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:32:54 PST