RE: OPENDKIM Errors from Murray S. Kucherawy on 2010-01-29 (OpenDKIM Users mailing list)

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Fri, 29 Jan 2010 09:32:18 -0800

SM's correct, but just to provide a little more detail:

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-
> bounce_at_lists.opendkim.org] On Behalf Of SM
> Sent: Friday, January 29, 2010 7:07 AM
> To: Roman Gelfand
> Cc: opendkim-users_at_lists.opendkim.org
> Subject: Re: OPENDKIM Errors
>
> At 06:38 29-01-10, Roman Gelfand wrote:
> >I am getting the following errors in the mail.err file.
> >
> >Jan 24 18:35:23 mail opendkim[7601]: A2A4064FB4 ADSP query:
> >`_adsp._domainkey.yahoo.com' unexpected reply class/type
> >Jan 24 18:35:24 mail opendkim[7601]: 23DEE64FED ADSP query:
> >`_adsp._domainkey.yahoo.com' unexpected reply class/type
> >Jan 25 15:05:44 mail opendkim[2167]: 9C18263F3A: bad signature data
>
> The DNS record is "broken":
>
> _adsp._domainkey.yahoo.com. CNAME rc.yahoo.com.
>
> rc.yahoo.com. CNAME rc.fy.b.yahoo.com.
>
> rc.fy.b.yahoo.com. A 206.190.60.37

So what happened here is that you got mail from yahoo.com. Apparently the DKIM key retrieval part went fine, but then we asked for the ADSP record of yahoo.com. They haven't posted one. However, presumably so that typos in Yahoo URLs bring people to pretty pages instead of error pages, they have a record in their nameserver that catches all unknown names and points them to the IP address you see above. But we didn't ask for an address ("A") record, we asked for a text ("TXT") record in the policy query. So ultimately the name resolver gives a response that isn't "record not found", but is instead another kind of unexpected reply. That results in the error you see. The "bad signature data" is not an accurate explanation; that part is an opendkim problem I'll fix shortly.

> >Jan 26 09:42:28 mail opendkim[2168]: E99B663D4C: bad signature data

Don't know about that one without more detail about that job ID.

> >Jan 27 15:10:01 mail opendkim[2168]: 073C063D18: key retrieval failed
> >(s=dkim1024, d=clearancejobs.com): res_query():
> >`dkim1024._domainkey.clearancejobs.com' Unknown host
> >Jan 27 15:10:02 mail opendkim[2168]: 7F76E63D4F: key retrieval failed
> >(s=dkim1024, d=clearancejobs.com): res_query():
> >`dkim1024._domainkey.clearancejobs.com' Unknown host
>
> There isn't a DNS record for dkim1024._domainkey.clearancejobs.com.
>
> >Is it a case of unhandled condition or a source mail server bug?
>
> It is a mistake on the sender's end.

In particular, you got some mail with a DKIM signature that contained "s=dkim1024" and "d=clearancejobs.com". That claims there's a TXT record at dkim1024._domainkey.clearancejobs.com containing the public key to be used to validate that message, but the signer has not posted a public key there. It's a misconfiguration problem in the DNS server at clearancejobs.com, not a bug.
Received on Fri Jan 29 2010 - 17:32:29 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:46 PST