Re: General DNS / SPF question
Hi there, On Sat, 7 Jan 2023, Michael Muller wrote: This is my first time posting here, and I'm not sure if it's the right place or not to ask my question. This is a general DNS question, specifically, I think, SPF. Probably not really the right place but the SPF users' list has been a bit dead for a while so let's see what happens. I host email using SmarterMail, and all 400+ customers either use a regular email client (desktop app/mobile device) or the webmail interface. One particular customer wants to use Gmail as their email client for sending email from their domain. What's the domain? I helped set up the settings at gmail for the SMTP server, and did the google-siteverification and added _include:gmail.com_ to the SPF TXT record, The gmail.com SPF record is just a redirect - wasteful. I'd suggest include:_spf.google.com instead. as well as DKIM and DMARC configured. I get green lights for the domain from Dmarcian (well, they said I had a duplicate SPF value, which I have removed). The emails that get sent *do* arrive for other users on my email server, but *not* to email addresses off-server, ie; @live.com I can see the traffic from gmail in my logs, and it appears the emails are sent, but they do not arrive. Stumped. Any spare brain cells available out there would be appreciated. Can you show us a log of one of the transactions? Or perhaps get the customer to try to send mail to me, I should be able to see everything that's needed in our server logs. -- 73, Ged. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: General DNS / SPF question
Please don’t hijack an existing thread by replying to an existing message for a
unrelated subject. It is bad form. Just create a new message and send it to
bind-us...@isc.org.
--
Mark Andrews
> On 8 Jan 2023, at 09:07, Michael Muller via bind-users
> wrote:
>
>
> Hello everyone,
>
> This is my first time posting here, and I'm not sure if it's the right place
> or not to ask my question. This is a general DNS question, specifically, I
> think, SPF.
>
> (Btw, I do use Bind in my system, so that's why I'm here.)
>
> I host email using SmarterMail, and all 400+ customers either use a regular
> email client (desktop app/mobile device) or the webmail interface.
>
> One particular customer wants to use Gmail as their email client for sending
> email from their domain. I helped set up the settings at gmail for the SMTP
> server, and did the google-siteverification and added include:gmail.com to
> the SPF TXT record, as well as DKIM and DMARC configured. I get green lights
> for the domain from Dmarcian (well, they said I had a duplicate SPF value,
> which I have removed).
>
> The emails that get sent *do* arrive for other users on my email server, but
> *not* to email addresses off-server, ie; @live.com
>
> I can see the traffic from gmail in my logs, and it appears the emails are
> sent, but they do not arrive.
>
> Stumped. Any spare brain cells available out there would be appreciated.
>
> Thanks,
>
> Mik
>
> Mik Muller, president
> Montague WebWorks
> 20 River Street, Greenfield, MA
> 413-320-5336
> http://MontagueWebWorks.com
> Powered by ROCKETFUSION
> On 1/7/2023 3:11 PM, Anders Löwinger wrote:
>> Hi
>>
>> I have some trouble with the parental-agents. Anyone seen this before/can
>> give me a clue to get this working?
>>
>> Tried with my two recursive resolvers first, then localhost. No difference.
>>
>> From the log
>>
>> named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS response
>> from 2a00:f680:100:1501::32#53
>> named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS response
>> from 2a00:f680:10:1501::33#53
>> named[3428351]: zone lowinger.se/IN (signed): checkds: empty DS response
>> from 127.0.0.1#53
>>
>> zone "lowinger.se" {
>>
>> type primary;
>> file "lowinger.se";
>> dnssec-policy lowinger-policy;
>> inline-signing yes;
>> // parental-agents {
>> // 2a00:f680:100:1501::32;
>> // 2a00:f680:100:1501::33;
>> // };
>>
>> parental-agents { 127.0.0.1; };
>> };
>>
>> BIND 9.18.10-1+ubuntu22.04.1+isc+1-Ubuntu (Stable Release)
>>
>>
>> dig has no problem resolving the DS record.
>>
>> # dig @127.0.0.1 lowinger.se ds +short
>> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
>>
>> # dig @2a00:f680:100:1501::32 lowinger.se ds +short
>> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
>>
>> # dig @2a00:f680:100:1501::33 lowinger.se ds +short
>> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
>>
>>
>>
>>
>> --
>> Regards / Med vänlig hälsning
>> Anders Löwinger, CEO, Abundo AB, +46 72 206 0322
>>
>>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
General DNS / SPF question
Hello everyone,
This is my first time posting here, and I'm not sure if it's the right
place or not to ask my question. This is a general DNS question,
specifically, I think, SPF.
(Btw, I do use Bind in my system, so that's why I'm here.)
I host email using SmarterMail, and all 400+ customers either use a
regular email client (desktop app/mobile device) or the webmail interface.
One particular customer wants to use Gmail as their email client for
sending email from their domain. I helped set up the settings at gmail
for the SMTP server, and did the google-siteverification and added
_include:gmail.com_ to the SPF TXT record, as well as DKIM and DMARC
configured. I get green lights for the domain from Dmarcian (well, they
said I had a duplicate SPF value, which I have removed).
The emails that get sent *do* arrive for other users on my email server,
but *not* to email addresses off-server, ie; @live.com
I can see the traffic from gmail in my logs, and it appears the emails
are sent, but they do not arrive.
Stumped. Any spare brain cells available out there would be appreciated.
Thanks,
Mik
Mik Muller, president
Montague WebWorks
20 River Street, Greenfield, MA
413-320-5336
http://MontagueWebWorks.com
Powered by ROCKETFUSION
On 1/7/2023 3:11 PM, Anders Löwinger wrote:
Hi
I have some trouble with the parental-agents. Anyone seen this
before/can give me a clue to get this working?
Tried with my two recursive resolvers first, then localhost. No
difference.
From the log
named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS
response from 2a00:f680:100:1501::32#53
named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS
response from 2a00:f680:10:1501::33#53
named[3428351]: zone lowinger.se/IN (signed): checkds: empty DS
response from 127.0.0.1#53
zone "lowinger.se" {
type primary;
file "lowinger.se";
dnssec-policy lowinger-policy;
inline-signing yes;
// parental-agents {
// 2a00:f680:100:1501::32;
// 2a00:f680:100:1501::33;
// };
parental-agents { 127.0.0.1; };
};
BIND 9.18.10-1+ubuntu22.04.1+isc+1-Ubuntu (Stable Release) *
*
dig has no problem resolving the DS record.
# dig @127.0.0.1 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4
BEB071CA
# dig @2a00:f680:100:1501::32 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4
BEB071CA
# dig @2a00:f680:100:1501::33 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4
BEB071CA
--
Regards / Med vänlig hälsning
Anders Löwinger, CEO, Abundo AB, +46 72 206 0322
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: parental-agent, emtpy DS response ?
On 2023-01-07 22:22, Mark Andrews wrote:
I suspect the problem is that the request does not have RD=1 and you are
talking to
recursive servers.
I changed parental-agents to one of the .SE DNS servers.
Jan 07 22:26:48 dns-signer2 named[3428351]: keymgr: checkds DS for key
lowinger.se/ECDSAP384SHA384/59647 seen published at Sat Jan 7 22:26:48
2023
Thanks!
The following should work except where the authoritative server
does not implement DNS properly and rejects recursive queries rather than just
treating
the request as not recursive.
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index eab42bf8c0e..5b62fa8dc95 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -20704,6 +20704,7 @@ checkds_createmessage(dns_zone_t *zone, dns_message_t
**messagep) {
message->opcode = dns_opcode_query;
message->rdclass = zone->rdclass;
+ message->flags |= DNS_MESSAGEFLAG_RD;
dns_message_gettempname(message, );
Any reason not making this default?
I don't want to track upstream nameservers... Asking my trusted
resolvers is much easier :)
--
Regards / Med vänlig hälsning
Anders Löwinger, CEO, Abundo AB, +46 72 206 0322
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: parental-agent, emtpy DS response ?
I suspect the problem is that the request does not have RD=1 and you are
talking to
recursive servers. The following should work except where the authoritative
server
does not implement DNS properly and rejects recursive queries rather than just
treating
the request as not recursive.
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index eab42bf8c0e..5b62fa8dc95 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -20704,6 +20704,7 @@ checkds_createmessage(dns_zone_t *zone, dns_message_t
**messagep) {
message->opcode = dns_opcode_query;
message->rdclass = zone->rdclass;
+ message->flags |= DNS_MESSAGEFLAG_RD;
dns_message_gettempname(message, );
> On 8 Jan 2023, at 07:11, Anders Löwinger wrote:
>
> Hi
>
> I have some trouble with the parental-agents. Anyone seen this before/can
> give me a clue to get this working?
>
> Tried with my two recursive resolvers first, then localhost. No difference.
>
> From the log
>
> named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS response from
> 2a00:f680:100:1501::32#53
> named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS response from
> 2a00:f680:10:1501::33#53
> named[3428351]: zone lowinger.se/IN (signed): checkds: empty DS response from
> 127.0.0.1#53
>
> zone "lowinger.se" {
>
> type primary;
> file "lowinger.se";
> dnssec-policy lowinger-policy;
> inline-signing yes;
> // parental-agents {
> // 2a00:f680:100:1501::32;
> // 2a00:f680:100:1501::33;
> // };
>
> parental-agents { 127.0.0.1; };
> };
>
> BIND 9.18.10-1+ubuntu22.04.1+isc+1-Ubuntu (Stable Release)
>
>
> dig has no problem resolving the DS record.
>
> # dig @127.0.0.1 lowinger.se ds +short
> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
>
> # dig @2a00:f680:100:1501::32 lowinger.se ds +short
> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
>
> # dig @2a00:f680:100:1501::33 lowinger.se ds +short
> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
>
>
>
>
> --
> Regards / Med vänlig hälsning
> Anders Löwinger, CEO, Abundo AB, +46 72 206 0322
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
parental-agent, emtpy DS response ?
Hi
I have some trouble with the parental-agents. Anyone seen this
before/can give me a clue to get this working?
Tried with my two recursive resolvers first, then localhost. No difference.
From the log
named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS
response from 2a00:f680:100:1501::32#53
named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS
response from 2a00:f680:10:1501::33#53
named[3428351]: zone lowinger.se/IN (signed): checkds: empty DS
response from 127.0.0.1#53
zone "lowinger.se" {
type primary;
file "lowinger.se";
dnssec-policy lowinger-policy;
inline-signing yes;
// parental-agents {
// 2a00:f680:100:1501::32;
// 2a00:f680:100:1501::33;
// };
parental-agents { 127.0.0.1; };
};
BIND 9.18.10-1+ubuntu22.04.1+isc+1-Ubuntu (Stable Release) *
*
dig has no problem resolving the DS record.
# dig @127.0.0.1 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4
BEB071CA
# dig @2a00:f680:100:1501::32 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4
BEB071CA
# dig @2a00:f680:100:1501::33 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4
BEB071CA
--
Regards / Med vänlig hälsning
Anders Löwinger, CEO, Abundo AB, +46 72 206 0322
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
