RE: key retreival error, reply truncated, any ideas? from Murray S. Kucherawy on 2011-10-07 (OpenDKIM Users mailing list)

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Fri, 7 Oct 2011 12:57:52 -0700

The DKIM library is complaining that the DNS resolver you're using returned a response with the "tc" (truncation) bit set, which means the reply to the key query was truncated and may be missing critical data. What normally should happen is that the resolver will repeat the query using TCP instead of UDP, allowing a longer reply, and then opendkim should receive the complete response without "tc" set.

I note that your syslog says "dkim-filter", which isn't opendkim. It's possible there are some fixes in the truncation flag handling since dkim-milter, though I can't say for sure from the RELEASE_NOTES.

I'll use your sample to verify that opendkim handles this properly with the various resolver options (unbound, libar, bind).

What's the output of "dkim-filter -V"?

-MSK

From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Howard Leadmon
Sent: Friday, October 07, 2011 11:14 AM
To: opendkim-users_at_lists.opendkim.org
Subject: key retreival error, reply truncated, any ideas?

I know in general we have DKIM working well, but I have this implemented on a client's server that is getting an error, and I am not quite sure what to make of it. I was able to get the email in for them by placing an exemption in the config, but that really just masks the problem. So I am trying to figure out if this is something wrong at logmein.com, or is this a problem on my side of the shop that I need to address.

Here is the error:

Oct 7 13:50:30 mail2 mail2-smtp[48120]: p97HoRe1048120: from=<do-not-reply_at_logmein.com>, size=11127, class=0, nrcpts=1, msgid=<smail.1318007021211.xq4zkgpblvfirvthyq6l4110khgspvrc0mqe7k3we58m9npd2l_at_WWW01-13.logmein.com>, proto=ESMTP, daemon=MTA-v4, relay=relay01-01.logmein.com [69.25.20.1]

Oct 7 13:50:30 mail2 dkim-filter[1488]: p97HoRe1048120: key retrieval failed (s=s1024, d=logmein.com): `s1024._domainkey.logmein.com' reply truncated

I know for a fact we allow DNS queries up to 4096 bytes, and I can sign mail from my server to theirs and it works fine, so I am guessing this may be a logmein.com problem. I tried some google fu on the error, but all I could find was some comments about a library issue, from long ago that I am sure would have been corrected..

Any input or ideas most appreciated...

---
Howard Leadmon

Received on Fri Oct 07 2011 - 19:58:03 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:20 PST