Note: it's christmas eve. I would figure Best Buy would care about this,
but with propagation delays and the like I don't think it's fixable or
advisable for a major DNS change this soon before Christmas.
Anyway, here's the relevant data:
Two domains that I dkim-verify are being rejected with a key retrieval
error.
The mail is for me, waiting for a "your item is ready for in-store
pickup". Because they don't fully auth my card until I pick it up, if I
wait and wait and don't get that email, and go somewhere else, this is a
revenue loser for them.
Anyway, rather than talking finance, let's post the details:
BIND 9.6.1
Sendmail 8.14.1
dkim-filter: Sendmail DKIM Filter v2.8.2 (upgraded to 2.8.3 after I
started this mail).
Compiled with OpenSSL 0.9.8e 23 Feb 2007
Supported signing algorithms:
rsa-sha1
rsa-sha256
Supported canonicalization algorithms:
relaxed
simple
On the mailer machine:
%grep nBOMTkxC033377 /var/log/maillog
Dec 24 17:29:47 <mail.info> prime sm-mta[33377]: nBOMTkxC033377:
from=<bounce-41_html-31948602-4944-97381-2767...@bounce.emailinfo2.bestbuy.com>,
size=22100, class=0, nrcpts=1,
msgid=<[email protected]>,
bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=aq98.mta.exacttarget.com
[66.231.88.98]
Dec 24 17:29:48 <mail.info> prime sm-mta[33377]: nBOMTkxC033377: Milter
insert (1): header: X-DomainKeys: Sendmail DomainKeys Filter v1.0.2
prime.gushi.org nBOMTkxC033377
Dec 24 17:29:48 <mail.info> prime sm-mta[33377]: nBOMTkxC033377: Milter
insert (1): header: Authentication-Results: prime.gushi.org;
dkim=neutral\n\[email protected]; dkim-adsp=none
Dec 24 17:29:48 <mail.info> prime sm-mta[33377]: nBOMTkxC033377: Milter
insert (1): header: X-DKIM: Sendmail DKIM Filter v2.8.2 prime.gushi.org
nBOMTkxC033377
Dec 24 17:29:48 <mail.info> prime sm-mta[33377]: nBOMTkxC033377: Milter:
data, reject=451 4.3.2 Please try again later
Dec 24 17:29:48 <mail.info> prime sm-mta[33377]: nBOMTkxC033377:
to=<[email protected]>, delay=00:00:01, pri=52100, stat=Please try again
later
On the dkim-filter machine:
Dec 24 18:24:40 quark dkim-filter[63303]: nBONLXQN043249: key retrieval
failed (s=200608, d=emailinfo2.bestbuy.com):
`200608._domainkey.emailinfo2.bestbuy.com' record not found
Dec 24 18:24:40 quark dkim-filter[63303]: nBONLXdo043248: key retrieval
failed (s=200608, d=emailinfo2.bestbuy.com):
`200608._domainkey.emailinfo2.bestbuy.com' record not found
So, I believe milter-dkim registers the NXDOMAIN as a tempfail. Here are
the questions.
1) Why? I can understand a servfail or a DNS timeout being cause for
this, or a FORMERR, but not an nxdomain. NXDOMAIN is not an error.
In my mind, a nonexistent key should mean a dkim fail, to be treated as
such, just as though I had made up a key with a bogus selector, and used
it to send forged mail.
1.5) For the purposes of -C actions, does this count as a "dnserror", same
as the above conditions (servfail, etc)?
2) What's worse is I don't see a way to tune this, either per-domain or
per-dns-errortype, in either /etc/mail/access or in dkim.conf. How would
I whitelist this, and say, "yes, *.bestbuy.com is having a problem, I'm
working around it"? (Note that I see a way to do it by IP in the
archives, but not by domain).
-Dan
--
"SOY BOMB!"
-The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan
Performance.
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
