Re: General DNS / SPF question

2023-01-07 Thread G.W. Haywood via bind-users

Hi there,

On Sat, 7 Jan 2023, Michael Muller wrote:


This is my first time posting here, and I'm not sure if it's the
right place or not to ask my question. This is a general DNS
question, specifically, I think, SPF.


Probably not really the right place but the SPF users' list has been a
bit dead for a while so let's see what happens.

I host email using SmarterMail, and all 400+ customers either use a 
regular email client (desktop app/mobile device) or the webmail interface.


One particular customer wants to use Gmail as their email client for
sending email from their domain.


What's the domain?


I helped set up the settings at gmail for the SMTP server, and did
the google-siteverification and added _include:gmail.com_ to the SPF
TXT record,


The gmail.com SPF record is just a redirect - wasteful.  I'd suggest

include:_spf.google.com

instead.


as well as DKIM and DMARC configured. I get green lights for the
domain from Dmarcian (well, they said I had a duplicate SPF value,
which I have removed).

The emails that get sent *do* arrive for other users on my email server, 
but *not* to email addresses off-server, ie; @live.com


I can see the traffic from gmail in my logs, and it appears the emails 
are sent, but they do not arrive.


Stumped. Any spare brain cells available out there would be appreciated.


Can you show us a log of one of the transactions?  Or perhaps get the
customer to try to send mail to me, I should be able to see everything
that's needed in our server logs.

--

73,
Ged.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: General DNS / SPF question

2023-01-07 Thread Mark Andrews
Please don’t hijack an existing thread by replying to an existing message for a 
unrelated subject. It is bad form. Just create a new message and send it to 
bind-us...@isc.org. 

-- 
Mark Andrews

> On 8 Jan 2023, at 09:07, Michael Muller via bind-users 
>  wrote:
> 
> 
> Hello everyone,
> 
> This is my first time posting here, and I'm not sure if it's the right place 
> or not to ask my question. This is a general DNS question, specifically, I 
> think, SPF.
> 
> (Btw, I do use Bind in my system, so that's why I'm here.)
> 
> I host email using SmarterMail, and all 400+ customers either use a regular 
> email client (desktop app/mobile device) or the webmail interface.
> 
> One particular customer wants to use Gmail as their email client for sending 
> email from their domain. I helped set up the settings at gmail for the SMTP 
> server, and did the google-siteverification and added include:gmail.com to 
> the SPF TXT record, as well as DKIM and DMARC configured. I get green lights 
> for the domain from Dmarcian (well, they said I had a duplicate SPF value, 
> which I have removed).
> 
> The emails that get sent *do* arrive for other users on my email server, but 
> *not* to email addresses off-server, ie; @live.com
> 
> I can see the traffic from gmail in my logs, and it appears the emails are 
> sent, but they do not arrive.
> 
> Stumped. Any spare brain cells available out there would be appreciated.
> 
> Thanks,
> 
> Mik
> 
> Mik Muller, president
> Montague WebWorks
> 20 River Street, Greenfield, MA
> 413-320-5336
> http://MontagueWebWorks.com
> Powered by ROCKETFUSION
> On 1/7/2023 3:11 PM, Anders Löwinger wrote:
>> Hi
>> 
>> I have some trouble with the parental-agents. Anyone seen this before/can 
>> give me a clue to get this working?
>> 
>> Tried with my two recursive resolvers first, then localhost. No difference.
>> 
>> From the log
>> 
>> named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS response 
>> from 2a00:f680:100:1501::32#53
>> named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS response 
>> from 2a00:f680:10:1501::33#53
>> named[3428351]: zone lowinger.se/IN (signed): checkds: empty DS response 
>> from 127.0.0.1#53
>> 
>> zone "lowinger.se" {
>> 
>> type primary;
>> file "lowinger.se";
>> dnssec-policy lowinger-policy;
>> inline-signing yes;
>> // parental-agents {
>> // 2a00:f680:100:1501::32;
>> // 2a00:f680:100:1501::33;
>> // };
>>   
>> parental-agents { 127.0.0.1; };
>> };
>> 
>> BIND 9.18.10-1+ubuntu22.04.1+isc+1-Ubuntu (Stable Release) 
>> 
>> 
>> dig has no problem resolving the DS record.
>> 
>> # dig @127.0.0.1 lowinger.se ds +short
>> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
>> 
>> # dig @2a00:f680:100:1501::32 lowinger.se ds +short
>> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
>> 
>> # dig @2a00:f680:100:1501::33 lowinger.se ds +short
>> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
>> 
>> 
>> 
>> 
>> -- 
>> Regards / Med vänlig hälsning
>> Anders Löwinger, CEO, Abundo AB, +46 72 206 0322
>> 
>> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


General DNS / SPF question

2023-01-07 Thread Michael Muller via bind-users

Hello everyone,

This is my first time posting here, and I'm not sure if it's the right 
place or not to ask my question. This is a general DNS question, 
specifically, I think, SPF.


(Btw, I do use Bind in my system, so that's why I'm here.)

I host email using SmarterMail, and all 400+ customers either use a 
regular email client (desktop app/mobile device) or the webmail interface.


One particular customer wants to use Gmail as their email client for 
sending email from their domain. I helped set up the settings at gmail 
for the SMTP server, and did the google-siteverification and added 
_include:gmail.com_ to the SPF TXT record, as well as DKIM and DMARC 
configured. I get green lights for the domain from Dmarcian (well, they 
said I had a duplicate SPF value, which I have removed).


The emails that get sent *do* arrive for other users on my email server, 
but *not* to email addresses off-server, ie; @live.com


I can see the traffic from gmail in my logs, and it appears the emails 
are sent, but they do not arrive.


Stumped. Any spare brain cells available out there would be appreciated.

Thanks,

Mik

Mik Muller, president
Montague WebWorks
20 River Street, Greenfield, MA
413-320-5336
http://MontagueWebWorks.com
Powered by ROCKETFUSION

On 1/7/2023 3:11 PM, Anders Löwinger wrote:


Hi

I have some trouble with the parental-agents. Anyone seen this 
before/can give me a clue to get this working?


Tried with my two recursive resolvers first, then localhost. No 
difference.


From the log

named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS 
response from 2a00:f680:100:1501::32#53
named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS 
response from 2a00:f680:10:1501::33#53
named[3428351]: zone lowinger.se/IN (signed): checkds: empty DS 
response from 127.0.0.1#53


zone "lowinger.se" {

    type primary;
    file "lowinger.se";
    dnssec-policy lowinger-policy;
    inline-signing yes;
    // parental-agents {
    //     2a00:f680:100:1501::32;
    //     2a00:f680:100:1501::33;
    // };
    parental-agents { 127.0.0.1; };
};

BIND 9.18.10-1+ubuntu22.04.1+isc+1-Ubuntu (Stable Release) *

*

dig has no problem resolving the DS record.

# dig @127.0.0.1 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 
BEB071CA


# dig @2a00:f680:100:1501::32 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 
BEB071CA


# dig @2a00:f680:100:1501::33 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 
BEB071CA



--
Regards / Med vänlig hälsning
Anders Löwinger, CEO, Abundo AB, +46 72 206 0322
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: parental-agent, emtpy DS response ?

2023-01-07 Thread Anders Löwinger

On 2023-01-07 22:22, Mark Andrews wrote:

I suspect the problem is that the request does not have RD=1 and you are 
talking to
recursive servers.


I changed parental-agents to one of the .SE DNS servers.

Jan 07 22:26:48 dns-signer2 named[3428351]: keymgr: checkds DS for key 
lowinger.se/ECDSAP384SHA384/59647 seen published at Sat Jan  7 22:26:48 
2023


Thanks!



The following should work except where the authoritative server
does not implement DNS properly and rejects recursive queries rather than just 
treating
the request as not recursive.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index eab42bf8c0e..5b62fa8dc95 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -20704,6 +20704,7 @@ checkds_createmessage(dns_zone_t *zone, dns_message_t 
**messagep) {
  
 message->opcode = dns_opcode_query;

 message->rdclass = zone->rdclass;
+   message->flags |= DNS_MESSAGEFLAG_RD;
  
 dns_message_gettempname(message, &tempname);


Any reason not making this default?

I don't want to track upstream nameservers... Asking my trusted 
resolvers is much easier :)



--
Regards / Med vänlig hälsning
Anders Löwinger, CEO, Abundo AB, +46 72 206 0322

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: parental-agent, emtpy DS response ?

2023-01-07 Thread Mark Andrews
I suspect the problem is that the request does not have RD=1 and you are 
talking to
recursive servers.  The following should work except where the authoritative 
server
does not implement DNS properly and rejects recursive queries rather than just 
treating
the request as not recursive.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index eab42bf8c0e..5b62fa8dc95 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -20704,6 +20704,7 @@ checkds_createmessage(dns_zone_t *zone, dns_message_t 
**messagep) {
 
message->opcode = dns_opcode_query;
message->rdclass = zone->rdclass;
+   message->flags |= DNS_MESSAGEFLAG_RD;
 
dns_message_gettempname(message, &tempname);
 


> On 8 Jan 2023, at 07:11, Anders Löwinger  wrote:
> 
> Hi
> 
> I have some trouble with the parental-agents. Anyone seen this before/can 
> give me a clue to get this working?
> 
> Tried with my two recursive resolvers first, then localhost. No difference.
> 
> From the log
> 
> named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS response from 
> 2a00:f680:100:1501::32#53
> named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS response from 
> 2a00:f680:10:1501::33#53
> named[3428351]: zone lowinger.se/IN (signed): checkds: empty DS response from 
> 127.0.0.1#53
> 
> zone "lowinger.se" {
> 
> type primary;
> file "lowinger.se";
> dnssec-policy lowinger-policy;
> inline-signing yes;
> // parental-agents {
> // 2a00:f680:100:1501::32;
> // 2a00:f680:100:1501::33;
> // }; 
>  
> parental-agents { 127.0.0.1; };
> };
> 
> BIND 9.18.10-1+ubuntu22.04.1+isc+1-Ubuntu (Stable Release) 
> 
> 
> dig has no problem resolving the DS record.
> 
> # dig @127.0.0.1 lowinger.se ds +short
> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
> 
> # dig @2a00:f680:100:1501::32 lowinger.se ds +short
> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
> 
> # dig @2a00:f680:100:1501::33 lowinger.se ds +short
> 59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 BEB071CA
> 
> 
> 
> 
> -- 
> Regards / Med vänlig hälsning
> Anders Löwinger, CEO, Abundo AB, +46 72 206 0322
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


parental-agent, emtpy DS response ?

2023-01-07 Thread Anders Löwinger

Hi

I have some trouble with the parental-agents. Anyone seen this 
before/can give me a clue to get this working?


Tried with my two recursive resolvers first, then localhost. No difference.

From the log

named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS 
response from 2a00:f680:100:1501::32#53
named[3420650]: zone lowinger.se/IN (signed): checkds: empty DS 
response from 2a00:f680:10:1501::33#53
named[3428351]: zone lowinger.se/IN (signed): checkds: empty DS 
response from 127.0.0.1#53


zone "lowinger.se" {

    type primary;
    file "lowinger.se";
    dnssec-policy lowinger-policy;
    inline-signing yes;
    // parental-agents {
    //     2a00:f680:100:1501::32;
    //     2a00:f680:100:1501::33;
    // };
    parental-agents { 127.0.0.1; };
};

BIND 9.18.10-1+ubuntu22.04.1+isc+1-Ubuntu (Stable Release) *

*

dig has no problem resolving the DS record.

# dig @127.0.0.1 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 
BEB071CA


# dig @2a00:f680:100:1501::32 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 
BEB071CA


# dig @2a00:f680:100:1501::33 lowinger.se ds +short
59647 14 2 825E888C2FAA4F70241467A257C02C66AD5DAFDB818253B7FEB52DA4 
BEB071CA



--
Regards / Med vänlig hälsning
Anders Löwinger, CEO, Abundo AB, +46 72 206 0322
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users