Hello,

I have a FreeBSD server with Unbound .1.5.7 as a resolver.

I use Postfix for mail and postfix-policyd-spf-perl to check spf.

My problem is, that mail from a certain domain is refused.

When I test, I see this:

perl /usr/local/libexec/postfix-policyd-spf-perl

request=smtpd_access_policy

protocol_state=RCPT

protocol_name=SMTP

helo_name=mail.acme.com

queue_id=8045F2AB23

sender=j.doe@acme.com

recipient=me@company.com

client_address=1.1.1.1

client_name=mail.company.com

action=DEFER_IF_PERMIT SPF-Result=mail.acme.com: ‘SERVFAIL’ error on DNS ‘TXT’ lookup of ‘mail.acme.com’

This is in unbound.log:

Reason for the SERVFAIL:

Jan 24 13:44:25 unbound[487:0] info: response for mail.acme.com. TXT IN

Jan 24 13:44:25 unbound[487:0] info: reply from <acme.com.> 2.2.2.2#53

Jan 24 13:44:25 unbound[487:0] info: query response was ANSWER

Jan 24 13:44:25 unbound[487:0] info: Validate: message contains bad rrsets

Jan 24 13:44:25 unbound[487:0] info: validation failure <mail.acme.com. TXT IN>: signature crypto failed from 2.2.2.2

Is this a valid SERVFAIL?

Could some help me? Thanks.

With kind regards,

Jac

Hi Jac,

I don't really know about postfix or email, but 'signature crypto
failed' means that the data did not match the signature. Thus SERVFAIL
is the correct rcode.

It means that the contents of the TXT record have been altered, and the
text in it does not match the RRSIG digital signature. If this was a
spurious technical failure, it could be due to upper/lowercase somehow
getting changed (inside the text record), or people editing the contents
by hand without running the signer again.

Best regards, Wouter

at first I could check if disabling dnssec validation help:
$ dig mail.acme.com. txt +cdflag

next I would use an external validator to check if the domain owner
signed the domain correctly.
http://dnsviz.net or https://zonemaster.net are a good services for such jobs.

Andreas

http://dnsviz.net/d/mail.crypsys.nl/dnssec/

- click "update now"
- click "Advanced options (forced ancestor analysis, recursive, explicit delegation, etc.)"
- select "TXT" as Extra Typ
- click Analyze
- DNSSEC and Response proof the TXT-Record has an invalid signature

Disable DNSSEC validation for that domain in your unbound.conf (domain-insecure: mail.crypsys.nl)
and try to contact the domain owner.

Andreas

Hello Andreas,

Thanks, that is useful.

Why does dnsviz not show the TXT record without selecting it in Advanced?
Did they only sign the A record?

With kind regards,

Jac

-----Oorspronkelijk bericht-----

It was simply a choice of efficiency. By default queries for MX, TXT, NS, and SOA are only issued if the name is a zone apex because it is more common to see those records at a zone apex. It would be a bit slower and require more storage to keep track of the less common case. The option of specifying TXT (and others) allows some flexibility beyond the defaults.

Casey

Thanks, Casey, for the explanation.

I wondered if it was, because the zone was only signed partially. So it shows only the A record, because that is all that is signed. And the TXT record is not signed.
But I suppose that may not even be possible.

Jac

-----Oorspronkelijk bericht-----

There certainly are cases (with various causes) where RRSIGs are not returned with some RRsets although they are returned with others in the same zone. In this case, however, RRSIGs are returned for both--if they are queried--but the RRSIG covering the TXT RRset does not validate.

Casey