I was able to replicate this using an Unbound setup to not respond to UDP
messages larger that 1500.
In the first instance I'd suggest checking your DNS server setup that it's
able to respond to UDP packets larger than ~1552 - 4096 is default on
Unbound -
server:
max-udp-size: 4096
I can confirm that AskDNS (and other DNS requests going via
async->bgsend_and_start_lookup and resolver) don't fallback to TCP if the
truncated bit is set - this is hardcoded in the DnsResolver.pm module. I
have had some success in writing a patch for this which I'll submit to BZ
after some cleanup.
Paul
On Fri, 16 Sept 2022 at 22:05, Carlos G Mendioroz via users <
users@spamassassin.apache.org> wrote:
> Hi,
> I'm facing a problem with SA, that seems to be related to askdns.
>
> Mail server on Ubuntu 22.04 LTS, spamassassin 3.4.6 via exim4. Local
> bind9 DNS server.
>
> Mail received from webex.com does not get SPF checked, which in turn
> triggers a local rule:
> meta DMARK_REJECT !(DKIM_VALID_AU || SPF_PASS || NO_RELAYS)
>
> Webex does not use DKIM, but it has a kind of complex SPF setup, that
> may be ok (not 100% sure, but they are cisco after all ?)
>
> After enabling debug I can see that the TXT query returns 0 RRs:
>
> Sep 16 11:45:39 doors spamd[462278]: askdns: answer received, rcode
> NOERROR, query IN/TXT/webex.com, answer has 0 records
>
> while dig has a different idea:
>
> dig -t TXT webex.com
> ;; Truncated, retrying in TCP mode.
>
> ; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> -t TXT webex.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56230
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: b7c24959678df920010000006324d83008d33f7982f281d1 (good)
> ;; QUESTION SECTION:
> ;webex.com. IN TXT
>
> ;; ANSWER SECTION:
> webex.com. 300 IN TXT
> "google-site-verification=qXk-s_bdPaqiuaDN9jJCQjvNyw_hVkxXDhkm-1mZn14"
> webex.com. 300 IN TXT "slimtesttxt20170824002"
> webex.com. 300 IN TXT
> "QuoVadis=c1bf1f71-e21f-4ef5-92d9-3285c488767a"
> webex.com. 300 IN TXT
> "google-site-verification=BEWshakJYRMouwSQKX3vk5144-qUL1wwUWLU-XtfQ"
> webex.com. 300 IN TXT "slimtesttxt20170824001"
> webex.com. 300 IN TXT "MS=ms74589643"
> webex.com. 300 IN TXT
> "google-site-verification=BEWshakJYRMouwSQKX_3vk5_144-qUL1wwUWLU-XtfQ"
> webex.com. 300 IN TXT
> "identrust_validate=5g4Ebjbv8fCTROWcobqHmDRBtTU+zBMHM1AiuGdcCbtd"
> webex.com. 300 IN TXT "MS=ms61160488"
> webex.com. 300 IN TXT
> "QuoVadis=5a740d9e-6664-4d4c-8d87-716da9d530a7"
> webex.com. 300 IN TXT "MS=ms67549965"
> webex.com. 300 IN TXT
> "identrust_validate=08N0ASND+yUGXL08IVK8mdMWNhvz1ZqiXe6WCC5eI2e/"
> webex.com. 300 IN TXT "v=spf1
> redirect=_spf.webex.com"
> webex.com. 300 IN TXT
> "lqucp0f6u7alqi7kgrjo5vsov5"
> webex.com. 300 IN TXT
> "QuoVadis=eed4c791-aa21-4b45-8c91-2d83a93af871"
> webex.com. 300 IN TXT
> "lrg2pr6u4ubansuv47jtmmfd3p"
> webex.com. 300 IN TXT " ms93683787.msv1.invalid"
> webex.com. 300 IN TXT
> "amazonses:n3XkGYyvmC8SrhX+CqICjY4eWnyKFwPo6mdHTMsmeu4="
> webex.com. 300 IN TXT
> "9cef3rr776cnjs1cu53q6hrium"
> webex.com. 300 IN TXT
> "google-site-verification=3NhfQ1u_2ogGy3CA8qlIfFtMlW_nhx-VO85vAhT15a0"
> webex.com. 300 IN TXT
> "identrust_validate=bCd4oCoacz6pZ8C8/IRU0rItc1avij7uuIRBeMwUxa8T"
> webex.com. 300 IN TXT
> "google-site-verification=t2i1Swk8XPQDj6Llz_4Uxu3OKL3wfO_aaxYylFmQ8MU"
> webex.com. 300 IN TXT "MS=ms93683787"
> webex.com. 300 IN TXT
> "google-site-verification=Z4Iwv_W8wkGKrlaPKLdcm3C_LDCydAJD6z3L1MAP7DI"
> webex.com. 300 IN TXT
> "google-site-verification=fHXTAHXgtW5_Dzt4PHZKGF2PAI0r6PEHqmHJbkxo4_k"
> webex.com. 300 IN TXT
> "google-site-verification=D1PXZV2EBUXGvgJdUWr3cahNprUgckDpzo8MgniDQHk"
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
> ;; WHEN: Fri Sep 16 17:10:24 -03 2022
> ;; MSG SIZE rcvd: 1552
>
> which leads me to believe askdns might not support tcp for resolving ?
> In any case, help ?
> TIA
> --
> Carlos G Mendioroz <t...@huapi.ba.ar> LW7 EQI Argentina
>
