trusteddomainproject / OpenDKIM

Other
97 stars 52 forks source link

Unexpected reply error #181

Open cavaughankirov opened 1 year ago

cavaughankirov commented 1 year ago

Can't find any info about what this error means and therefore how to rectify it. Any help appreciated.

opendkim-testkey: 'default._domainkey.***.com' unexpected reply class/type (-1/-1)

futatuki commented 8 months ago

The message came from libopendkim/dkim-keys.c and caused by the DNS response for the query for 'default._domainkey.***.com' TXT type.

So if you can use dig or other DNS query tools and can watch the response for the query above, it might be helpful.

buschmann23 commented 7 months ago

I got the same error for the DKIM record for mails from mail.bethesda.net: key retrieval failed (s=zenimaxmedia, d=email.bethesda.net): 'zenimaxmedia._domainkey.email.bethesda.net' unexpected reply class/type (-1/-1)

host -t TXT zenimaxmedia._domainkey.email.bethesda.net returns:

zenimaxmedia._domainkey.email.bethesda.net is an alias for _domainkey.email.bethesda.net. _domainkey.email.bethesda.net descriptive text "v=DKIM1; k=rsa;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0AgR+ZxIMUkr1tu+k4elWjPT6FT1i5leUq29MIJtR9qAOp3su69/BbaNLbuPQCxT7rvEbYj65aA/nsIqf1rKcN9aILeV5i3ABgIadt+uFC7NV3YsJ41m2B1JGoef0d845Gn8bYuP/RJIOqU15gXTqvUbHthz/4A5yAFYDebIv27VifyGPGrWNA15guBK3Xs5cLU752t5oWX9lo" "+Zl78ogyomw0/2EH/uy7jDM39qp+rIR1jBNYFSLZZhXgYGNMG9cPQSPrgaCFI06m07ADmaAUFMrRg56esuD9BxkeBpexhKRtqfY4tVlMkMSsS55E0ue76BpWHr0xNJdPuMyZMOVwIDAQAB"

So they seem to use a CNAME record.

futatuki commented 7 months ago

I cannot reproduce the issue by just using CNAME for selector.domainkey.example.domain.

e.g.

aliassample._domainkey.debug.gr.jp. 3600 IN CNAME default._domainkey.debug.gr.jp.
default._domainkey.debug.gr.jp. 3600 IN  TXT     "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0qwM7Xk73VeWA8CxsK8xUHLc7hMJQl23tieAI/iuklzflvxxyNpXN/DlAvglGqahzW7ebYqW/zPhU33qyVGg8cYB8HAgQKditKAVEixwl7x5/7ieGRDmcczLtbyrP5dhpT6mLU6Y552fSKueeNqzPDn8leY2eXzlF6jqJ8F6+T8piSmv7MtamujT0IQlDoxF67BXuMkKYewFw" "0Fgk7eSu/5IQkINov2DRBE54CkkHR9ivLcsMlND+//emMsY+VGhyJCf4ceFZ65YIwSu6b8XTMtpIU14Cl1cskVfSaJ6IaqlCYuAfhCMwjHU3bL7Nbo47+td4MKnZRLFQjZpOq27wIDAQAB"

A sample of signed message (by using opendkim-testmsg). debug-aliassample-signed.txt

(I'll keep the DNS entry above for a while, but I would remove it later.)

fcmildef commented 3 months ago

We are also getting this error and are trying to figure out what is going wrong

localhost opendkim[2551617]: 7B37D3F089: key retrieval failed (s=mythic-beasts-k1, d=resourcespace.com): 'mythic-beasts-k1._domainkey.resourcespace.com' unexpected reply class/type (-1/-1)

they seem to have valid key present: host -t TXT mythic-beasts-k1._domainkey.resourcespace.com mythic-beasts-k1._domainkey.resourcespace.com is an alias for k1.resourcespace.com.dkim.mythic-beasts.com. k1.resourcespace.com.dkim.mythic-beasts.com descriptive text "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZdcKZU1LiFwqlBG+Uhv52wqUt3hRkMUjSvPJ845UK1ZNnAQzC84EBrDk73KLFgA8hE4NMMhWZRmJaJcNXzYbUdFcxCGlTfXD+KrTnXmnmY+z89SEVsifZpISGmkKJfbwUeZhgRus7WGlqnLiSWNDWWi1ECAFG19gSyQ9bHMp3476XRqPGJfYRMi1RPrYIyoA" "qxwr2Xtpm5w912UEOcpJqQ5lGInNdEjYNnvN78TnXpXzJyHeElm/jgT2Yuc+P94lWBPlcMU3uNo+zOICGJRCpjCW+mXC4/3Tt/475PGaYNXeyrRp2k267hGhoXnUK4s5tvedoeCUQvP6/YWJ6qTfQIDAQAB"

perhaps opdkim is not handling the truncation of the dns answer properly?