search

lieser / dkim_verifier

DKIM Verifier Extension for Mozilla Thunderbird
MIT License
210 stars 35 forks source link

dkim_verifier states "Key is not signed by DNSSEC", in fact it is #27

Closed ogej closed 10 years ago

ogej commented 10 years ago

Hi and thanks for your awesome plugin!

Here we go: I told the plugin to use my local dns resolver which supports dnssec. The domainkey record is signed, the record bears the +ad flag. Still, the plugin says the key was not signed by dnssec.

Note: my local resolver uses DNSSEC lookaside validation, which is transparent to the DNS clients.

I thought, the reason why the plugin fails to verify wether the key was signed is that my local dns is somehow bypassed. However, the log says

2014-04-25 16:57:29 DKIM_Verifier.JSDNS INFO    Resolving default._domainkey.example.net TXT by querying 10.0.12.5

Any thoughts on this?

screen shot 2014-04-25 at 16 51 08 1

This is was a query of 10.0.12.5 says:

; <<>> DiG 9.8.3-P1 <<>> default._domainkey.example.net +dnssec txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45957
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;default._domainkey.example.net.    IN  TXT

;; ANSWER SECTION:
default._domainkey.example.net. 85928 IN    TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0QmdibqnhhtX+xCJE1LzF7YemajbrvDxO8PcpnWeTAPpxnMIc8qZiyyRLVT+axUEY5typdf91QIcYdAb5i4s4xudiD6bY8CJh5Kk6qfDCwFQUamYkBKOZC4eWohuM8Yz9Z/Hi0h" "zEQb/LztkI7SvGt1+V/5Ts3Dfa2O+348QZoztogqqt3j+MiFQYt85F4EczSQuzxkTyktisx+62hV+3aYshKpl8wOd760CVwPPCu0m6LxDfnn9f/6uW9eM/yr28vvznnlbFN4IzDgaKjZ9ZNxJ7eSL+EzlqmAO9CMYgHXwpEQdeoZE2R7DR8cFi7RQjcNXGbpcLt+q2XIQi5U78QIDAQAB"
default._domainkey.example.net. 85928 IN    RRSIG   TXT 7 4 86400 20140522165659 20140422165659 9728 example.net. rLdx/eFlAyUeIRee0GJJKhyGlHLn3ll+hQLNtfj7ootfDim2svCQw81M 5V/tAJn1imGcXJ3Glk8Qx83WX5uCaVpIjKu2PT0Y8beyRGgMdfjn2hBD INU42EOoiNsqFDAVXkNCL7B1SpWgUHiNgnqUliv1XaJoraT8O7jSq/Sz pkU=

Regards!

lieser commented 10 years ago

The JavaScript DNS libraray currently dos not support DNSSEC. You have to use the libunbound resolver (https://github.com/lieser/dkim_verifier/wiki/DNS#libunbound)

edit: If for some reason you can't use libundbound, I could try to add support of the AD flag.