1 (edited by Rashef 2010-03-05 00:07:26)

Topic: DKIM: invalid (public key: not available)

Since I noticed some weird messages looking at log files I checked my config and I noticed that one of my domain seems to have problem with DKIM.

# amavisd testkeys
TESTING#1: dkim._domainkey.maindomain.com => invalid (public key: not available)
TESTING#2: dkim._domainkey.virtual1.com      => pass
TESTING#3: dkim._domainkey.virtual2.com      => pass
TESTING#4: dkim._domainkey.virtual3.com      => pass

maindomain.com is the main domain I created when installing iRedMail first time. It passed amavis test after installation and after every domain addition. The key set into DNS zone is right (I compared with amavisd showkeys output).

Thanks and regards

2

Re: DKIM: invalid (public key: not available)

Temporary DNS lookup error?

3

Re: DKIM: invalid (public key: not available)

ZhangHuangbin wrote:

Temporary DNS lookup error?

This is what I thought yesterday... but today I start to be a little bit worried! :-P

4

Re: DKIM: invalid (public key: not available)

Still says invalid... Anything I can check before squeezing my provider?
This is strange since all the other domains are on the same server/provider.

5

Re: DKIM: invalid (public key: not available)

TESTING#1: dkim._domainkey.maindomain.com => invalid (public key: not available)

Can you find it with dig/nslookup in command line?

$ dig -t txt dkim._domainkey.xxx.com

6

Re: DKIM: invalid (public key: not available)

ZhangHuangbin wrote:

TESTING#1: dkim._domainkey.maindomain.com => invalid (public key: not available)

Can you find it with dig/nslookup in command line?

$ dig -t txt dkim._domainkey.xxx.com

I noticed that for each virtual domain I get:

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

while for the main domain I get:

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

following an AUTHORITY SECTION instead of ANSWER SECTION...

7

Re: DKIM: invalid (public key: not available)

The output should look like this:

[root@ns1 ~]# dig -t txt dkim._domainkey.mydomain.tld

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> -t txt dkim._domainkey.mydomain.tld
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20961
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dkim._domainkey.mydomain.tld. IN        TXT

;; ANSWER SECTION:
dkim._domainkey.mydomain.tld. 86400 IN TXT "v=DKIM1\; p=" "saiojoisajfoiweu327809weu9fusa9/xvgsdfgfdsgregerug09eu09hgesrug09"
"uhrs90uh00uug09hdufs0ufd0gufds0[.........]"

;; Query time: 6 msec
;; SERVER: 89.35.128.6#53(89.35.128.6)
;; WHEN: Tue Mar  9 12:15:45 2010
;; MSG SIZE  rcvd: 297

Notice the "answer section". If it doesn't look like above, than it's a DNS problem.

8

Re: DKIM: invalid (public key: not available)

maxie_ro wrote:

Notice the "answer section". If it doesn't look like above, than it's a DNS problem.

Yes, this is what I get for each virtual domain but the main domain:

# dig -t txt dkim._domainkey.maindomain.it

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> -t txt dkim._domainkey.maindomain.it
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53794
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;dkim._domainkey.maindomain.it. IN TXT

;; AUTHORITY SECTION:
maindomain.it.     10278   IN      SOA     ns1.myprovider.com. myname.maindomain.it. 2009061615 86400 7200 3600000 86400

;; Query time: 5 msec
;; SERVER: xx.xx.xx.xx#53(xx.xx.xx.xx)
;; WHEN: Tue Mar  9 11:07:49 2010
;; MSG SIZE  rcvd: 114

DNS records are almost the same...

9 (edited by maxie_ro 2010-03-09 18:35:24)

Re: DKIM: invalid (public key: not available)

Check on your TLD provider that the nameservers you want to use are registered correctly for your domain. Check on all nameserver you use for correct dkim settings (both on master and slaves). Be sure that you don't have any mistakes in the zone files (like a missing dot and so on).

P.S.

Could you check your domain on http://www.dnssy.com/?

10

Re: DKIM: invalid (public key: not available)

maxie_ro wrote:

Check on your TLD provider that the nameservers you want to use are registered correctly for your domain. Check on all nameserver you use for correct dkim settings (both on master and slaves). Be sure that you don't have any mistakes in the zone files (like a missing dot and so on).

All my domains are hosted by the same provider. All have the same nameservers. And most entries are almost the same. I checked for typo without success.
I noticed that for every domain (except for the main one) the nameserver automatically trim the domain name from the DKIM entry. I mean that the entry dkim._domainkey.vsdomain.it now is dkim._domainkey. I tried to change it back but it trim the domain name again in a few hours.
The main domain is kept instead: dkim._domainkey.maindomain.it is still there.

Could you check your domain on http://www.dnssy.com/?

I got this warnings:
- Some of your nameservers failed to return an A record for your domain.
- You have only 2 nameservers, which is the minimum allowed.
- Your nameservers are all on the same class C IP namespace.
- Your SOA refresh value is 24 hours.
- Your SOA minimum TTL value is 24 hours.

Only one failed (but I guess it depends on policies):
- I got an error response to my "RCPT TO:<postmaster@mydomain.it>" message.

11

Re: DKIM: invalid (public key: not available)

DKIM entries for your main domain should have a dot at the end if you use its full name, like:

dkim._domainkey.maindomain.it.

Anyway, you should contact the hosting/DNS provider.

12 (edited by Rashef 2010-03-09 20:44:53)

Re: DKIM: invalid (public key: not available)

I finally solved... I deleted the entry end set it again... I just did copy&paste but now it works...

13 (edited by tedseu 2013-11-30 01:02:10)

Re: DKIM: invalid (public key: not available)

Rashef wrote:

I finally solved... I deleted the entry end set it again... I just did copy&paste but now it works...

...right, i also just did copy then made a little changes as follow:

root@server:/home/user# vim /etc/bind/zones/ptp.co.id.db

ptp.co.id.    3600    IN      TXT     "v=spf1 mx mx:iredmail.ptp.co.id -all"
; key#1, domain ptp.co.id, /var/lib/dkim/ptp.co.id.pem
dkim._domainkey.ptp.co.id.    3600 TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDW37GR1sdUNLS6ydploT4LZwumpilEobAMp30qFza9Ex... "


root@server:/home/user# amavisd-new testkeys
TESTING#1: dkim._domainkey.ptp.co.id       => pass

root@server:/home/user# dig -t txt dkim._domainkey.ptp.co.id

; <<>> DiG 9.8.1-P1 <<>> -t txt dkim._domainkey.ptp.co.id
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50243
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;dkim._domainkey.ptp.co.id.   IN      TXT

;; ANSWER SECTION:
dkim._domainkey.ptp.co.id. 3600 IN    TXT     "v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDW37GR1sdUNLS6ydploT4LZwumpilEobAMp+30qFza9ExGGPaqxsy6maYdrp86gmuOybKzMTHQGHJvaXDMLwoD/hIVW6m3g9Z2tSnYD4ajGHDbtqhUBqi6FcnvJlJrWXU8HvLq+aC39sFwjyCiGm+ZT9hPfk4cyu10PfnCIEFLMwIDAQAB"

;; AUTHORITY SECTION:
ptp.co.id.            3600    IN      NS      dns.ptp.co.id.

;; ADDITIONAL SECTION:
dns.ptp.co.id.        3600    IN      A       10.0.0.200

;; Query time: 0 msec
;; SERVER: 10.0.0.200#53(10.0.0.200)
;; WHEN: Tue Aug 13 17:17:13 2013
;; MSG SIZE  rcvd: 319