Unable to resolve DKIM TXT record

Question

I've installed and configured OpenDKIM and SPF TXT records on Ubuntu 18.04 LTS. However, I'm unable to resolve my DKIM TXT record. I'm running NSD as my DNS and configured as mydomain.com.zone.

My SPF record for mydomain.com returns OK:

root@host:# nslookup -q=txt mydomain.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
mydomain.com text = "v=spf1 mx a ip4:1.2.3.4 -all"

Authoritative answers can be found from:

However, my DKIM record for mydomain.com returns no answer:

root@host# nslookup -q=txt mail._domainkey.mydomain.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
*** Can't find mail._domainkey.mydomain.com: No answer

Authoritative answers can be found from:

dig output against Public DNS

root@host:# dig @8.8.8.8 mydomain.com TXT +short
"v=spf1 mx a ip4:1.2.3.4 -all"
root@host:# dig @8.8.8.8 mail._domainkey.mydomain.com TXT +short
root@host:#

Zone file:

root@host:#cat /etc/nsd/zones/mydomain.com.zone

$ORIGIN mydomain.com.
$TTL 1800

@        IN         SOA         ns1.mydomain.com.     domains.mydomain.com. (
                                2018051301
                                3600
                                900
                                1209600
                                1800
                                )

@        IN         NS          ns1.mydomain.com.
@        IN         NS          ns2.mydomain.com.
@        IN         A           1.2.3.4
@        IN         MX          10 mail.mydomain.com.
@        IN         TXT         "v=spf1 mx a ip4:1.2.3.4-all"

mail._domainkey     TXT         (
                                 "v=DKIM1\059 h=sha256\059 k=rsa\059 p=ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHI"
                                 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                                 "ABCDEFGHIJKLMNOPQRSTUVWXYZ" )

ns1      IN          A           1.2.3.4
ns2      IN          A           1.2.3.4
www      IN          A           1.2.3.4
ftp      IN          A           1.2.3.4
mail     IN          A           1.2.3.4
*        IN          A           1.2.3.4

Everything OK here:

root@host:# nsd-checkzone mydomain.com mydomain.com.zone
zone mydomain.com is ok

However, running opendkim-testkey, it returns a "No key" error:

root@host:# opendkim-testkey -d mydomain.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.mydomain.com'
opendkim-testkey: No key

Configuration output:

root@host:# tree /etc/opendkim
/etc/opendkim
|-- keys
|   `-- mydomain.com
|       |-- mail.private
|       `-- mail.txt
|-- key.table
|-- signing.table
`-- trusted.hosts
2 directories, 5 files

root@host:/# cat /etc/opendkim/key.table
mail._domainkey.mydomain.com mydomain.com:mail:/etc/opendkim/keys/mydomain.com/mail.private

root@host:/# cat /etc/opendkim/signing.table
*@mydomain.com mail._domainkey.mydomain.com

root@interconit:/# cat /etc/opendkim.conf
Syslog yes
SyslogSuccess Yes
LogWhy Yes
UMask 002
UserID opendkim:opendkim
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
ExternalIgnoreList refile:/etc/opendkim/trusted.hosts
InternalHosts refile:/etc/opendkim/trusted.hosts
Canonicalization relaxed/simple
Mode sv
ADSPAction continue
AutoRestart yes
AutoRestartRate 10/1M
SignatureAlgorithm rsa-sha256
Socket inet:8891@localhost
PidFile /var/run/opendkim/opendkim.pid
OversignHeaders From

Have you reloaded the zone after editing? If yes you have to wait some time for zone propagation across the servers. — Kondybas, May 13 '18 at 07:45
nsd-control -c mydomain.com.zone reload mydomain.com.zone:1: at '$ORIGIN': error: syntax error read mydomain.com.zone failed: 1 errors in configuration file. I just can't see where the zone file is returning an error? — Michael, May 13 '18 at 07:57
You are correct. DKIM keys loading OK now. The error was to reload nsd-control reconfig. There was also an incorrect zone: entry to mydomain.com.zone in nsd.conf which could have also contributed to the issue. — Michael, May 13 '18 at 08:17

Michael · Answer 1 · 2018-05-14T15:14:43.257

You must reload nsd-control reconfig to allow DKIM TXT changes take effect. Check nsd.conf and ensure that zone entries point to the correct zone files.

root@host:/etc/nsd# cat nsd.conf
server:
        ip-address: 127.0.0.1
        ip-address: 1.2.3.4
        username: nsd
        hide-version: yes
        zonesdir: "/etc/nsd/zones/"
        logfile: "/var/log/nsd.log"
        pidfile: "/run/nsd/nsd.pid"

# zone entry for mydomain.com
zone:
        name: mydomain.com
        zonefile: mydomain.com.zone


root@host:/etc/nsd# vim nsd.conf
root@host:/etc/nsd# nsd-control reconfig
reconfig start, read /etc/nsd/nsd.conf
ok
root@host:/etc/nsd# opendkim-testkey -d mydomain.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.mydomain.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

root@host:/etc/nsd# dig @8.8.8.8 mail._domainkey.mydomain.com TXT +short
"v=DKIM1; h=sha256; k=rsa; p=ABCDEFGHIJKLMNOPQRSTUVWXYZ" 
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"

root@host:/etc/nsd# nslookup -q=txt mail._domainkey.mydomain.com 
ns1.mydomain.com
Server:         ns1.mydomain.com
Address:        1.2.3.4#53

mail._domainkey.mydomain.com  text = "v=DKIM1; h=sha256; k=rsa; 
p=ABCDEFGHIJKLMNOPQRSTUVWXYZ" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"

Unable to resolve DKIM TXT record

1 Answers1