Comments (13)
Hm, I don't see anywhere in the RFC where CNAME lookups are mentioned.
from go-msgauth.
True, I was surprised when I saw that too, but it looks like at least MailChimp and SendGrid give instructions for setting up DKIM using CNAME.
And it looks like there is no consensus between the different implementations of dns resolution providers (libdns
, libbind9
, or whatever else is causing the difference on the two different setups).
The question is - how do you weigh sticking to the spec vs what is happening in practice?
from go-msgauth.
The problem here is not the CNAME - nslookup -type=txt s1._domainkey.namecheap.com
on my Debian Bookworm system returns the TXT record, as does net.LookupTXT("s1._domainkey.namecheap.com")
. The DKIM RFC does not need to mention CNAMEs, because RFC 1034 already says that a TXT lookup will follow CNAMEs.
The problem is that your server is having some trouble contacting namecheap.com's DNS servers:
;; Connection to xxx#53(xxx) for s1._domainkey.namecheap.com failed: timed out.
;; Connection to xxx#53(xxx) for s1._domainkey.namecheap.com failed: timed out.
;; Connection to xxx#53(xxx) for s1._domainkey.namecheap.com failed: timed out.
;; Connection to xxx#53(xxx) for s1._domainkey.namecheap.com failed: timed out.
;; Connection to xxx#53(xxx) for s1._domainkey.namecheap.com failed: timed out.
from go-msgauth.
That's not the issue
maddy@frodo:~$ nslookup -type=cname s1._domainkey.namecheap.com
Server: xxx
Address: xxx#53
Non-authoritative answer:
s1._domainkey.namecheap.com canonical name = s1.domainkey.u1828068.wl069.sendgrid.net.
Authoritative answers can be found from:
namecheap.com nameserver = edns1.registrar-servers.com.
namecheap.com nameserver = edns2.registrar-servers.com.
namecheap.com nameserver = edns4.ultradns.biz.
namecheap.com nameserver = edns4.ultradns.com.
namecheap.com nameserver = edns4.ultradns.net.
namecheap.com nameserver = edns4.ultradns.org.
from go-msgauth.
What is the exact error returned by go-msgauth?
from go-msgauth.
Then the problem is likely contacting sendgrid.net's servers. Try nslookup -type=txt s1.domainkey.u1828068.wl069.sendgrid.net
from go-msgauth.
from go-msgauth.
Then the problem is likely contacting sendgrid.net's servers. Try
nslookup -type=txt s1.domainkey.u1828068.wl069.sendgrid.net
Already tried that
maddy@frodo:~$ nslookup -type=txt s1.domainkey.u1828068.wl069.sendgrid.net.
Server: xxx
Address: xxx#53
Non-authoritative answer:
s1.domainkey.u1828068.wl069.sendgrid.net text = "k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4EJ2WbK3G12fhP8hlHBTABlvdbKePJXwux+sjGXRnnoVdGAaw9q9D96qeW3uWqAbBSyPB06w4zTeK1qi7Ar+rBC91zKEiuoi6Rbd8xkDBG1Emo8RMhZjOHer5xl0TobynvYy6J4F/ge4OgA17nNDfc7n2Xg+OOKHVY4dVZfdgNR29eGraxD8X0E2pMBdNgtqKvt6S" "4irlnEuhvko+Ls3XqBicTnM30QO4ffyIJWlUqHEwVjBUHKXV+/sTif8UecWw2m9uLYlPbeNBAjMcRtmKYC+tKT39laA2mtPuQub9LHtgzkmAXqE9D7uvgc8gEoUgdvQyefKClRR/rKomB9CeQIDAQAB"
from go-msgauth.
Well, you're clearly having trouble contacting something as indicated by the "timed out" errors from nslookup, but it's hard to know because you're redacting the error messages. You still haven't provided the full error message from go-msgauth. It should look something like:
dkim: key unavailable: lookup s1._domainkey.namecheap.com on 169.254.169.254:53: dial udp 169.254.169.254:53: connect: no route to host
from go-msgauth.
key unavailable: lookup s1._domainkey.namecheap.com on [2a01:4ff:ff00::add:2]:53: read udp [fd00::249f:bfff:fe7a:72e6]:48573-\u003e[2a01:4ff:ff00::add:2]:53: i/o timeout
Already tried the following:
maddy@frodo:~$ nslookup -type=cname s1._domainkey.namecheap.com 2a01:4ff:ff00::add:2
Server: 2a01:4ff:ff00::add:2
Address: 2a01:4ff:ff00::add:2#53
Non-authoritative answer:
s1._domainkey.namecheap.com canonical name = s1.domainkey.u1828068.wl069.sendgrid.net.
Authoritative answers can be found from:
namecheap.com nameserver = edns4.ultradns.biz.
namecheap.com nameserver = edns4.ultradns.com.
namecheap.com nameserver = edns4.ultradns.net.
namecheap.com nameserver = edns4.ultradns.org.
namecheap.com nameserver = edns1.registrar-servers.com.
namecheap.com nameserver = edns2.registrar-servers.com.
maddy@frodo:~$ nslookup -type=txt s1._domainkey.namecheap.com 2a01:4ff:ff00::add:2
;; communications error to 2a01:4ff:ff00::add:2#53: timed out
;; communications error to 2a01:4ff:ff00::add:2#53: timed out
;; communications error to 2a01:4ff:ff00::add:2#53: timed out
;; no servers could be reached
from go-msgauth.
This sounds like an issue with the DNS server, not with go-msgauth. The following program fails on the Go playground, but succeeds locally for me: https://go.dev/play/p/MGIIpQS_oix
from go-msgauth.
I tried a similar example locally and on the server and got the same result as you - local success and remote failure. Looks like the problem is with the local resolver and not the DNS server, since using 1.1.1.1
as the nslookup server also fails.
You're right that this issue isn't related to go-msgauth. I mentioned this in the issue description, but I was hoping to try figure out what exactly is going on because this is quite a strange and unexpected issue.
Anyway, thanks for your help, and for yours @AGWA. I'll try some more things and report if I have any success.
from go-msgauth.
Okay, got it.
;; Truncated, retrying in TCP mode.
My nftables
config is pretty conservative, and has a whitelist of outbound tcp ports which does did not include 53.
from go-msgauth.
Related Issues (20)
- Getting error on importing this project HOT 6
- Improve line folding algorithm HOT 4
- authres: parse() function can't get correct quoted-string value HOT 3
- Extract only signature instead of complete body HOT 1
- dkim: consider setting a default MaxVerifications HOT 2
- DKIM failing for few content HOT 6
- DKIM Verify issue in relaxed mode
- RSA Public Key Format Inconsistency HOT 4
- DKIM t=s key flag not supported HOT 2
- reduce relaxedBodyCanonicalizer allocations HOT 3
- compare with EqualFold instead of ToLower HOT 2
- Remove Return-Path from header sign HOT 7
- FR: dkim-milter config file HOT 3
- queryDNSTXT may produce wrong DKIM record using the default resolver HOT 1
- Export DKIM query functionality HOT 3
- dmarc.Lookup() merges multiple TXT records into a single string HOT 2
- Emails from startmail.com verify with opendkim, but not with go-msgauth HOT 1
- Make v tag validation optional for DKIM text records HOT 2
- DKIM verification assumes message receipt time is *now* HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-msgauth.