OpenDKIM
OpenDKIM copied to clipboard
trusteddomainproject
openDKIM Not Honoring ResolverConfiguration
I have a unique scenario where I have to rely on TCP DNS over UDP (fragmented UDP is blocked by our server provider at the firewall). Running on opensuse 15.3 Leap, trying multiple ways of setting TCP upstream does not actually make openDKIM v2.10.3 use TCP.
In opendkim.conf, I have ResolverConfiguration set to /etc/unbound/conf.d/mailserver.conf
In mailserver.conf, I have the setting tcp-upstream set to yes, do-udp set to no (also tried with yes) and do-tcp set to yes.
No errors when starting opendkim unless I intentionally make a typo within mailserver.conf, so it is seeing and reading it. The opendkim user is a member of the unbound group, and has read/write permissions to the mailserver.conf file (chmod 660, chown unbound:unbound).
Any ideas or getting this working would be very much appreciated..... I would have used the mailing lists, but the page on the openDKIM site is broken.
What upstream DNS server are you using? And why is it handing you fragments?
Seriously, if you don't have a good path to your main DNS servers, such that an edns-enabled query (such that fragmentation doesn't happen) doesn't work, configure another.
Alternatively, run a full caching resolver on the box (i.e. run unbound). I can't find documentation for it, but it's possible that libunbound may not support the full subset of configuration knobs that full-blown unbound does.
-Dan
On Feb 24, 2022, at 2:00 PM, KeithSieman @.***> wrote:
I have a unique scenario where I have to rely on TCP DNS over UDP (fragmented UDP is blocked by our server provider at the firewall). Running on opensuse 15.3 Leap, trying multiple ways of setting TCP upstream does not actually make openDKIM v2.10.3 use TCP.
In opendkim.conf, I have ResolverConfiguration set to /etc/unbound/conf.d/mailserver.conf
In mailserver.conf, I have the setting tcp-upstream set to yes, do-udp set to no (also tried with yes) and do-tcp set to yes.
No errors when starting opendkim unless I intentionally make a typo within mailserver.conf, so it is seeing and reading it. The opendkim user is a member of the unbound group, and has read/write permissions to the mailserver.conf file (chmod 660, chown unbound:unbound).
Any ideas or getting this working would be very much appreciated..... I would have used the mailing lists, but the page on the openDKIM site is broken.
— Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenDKIM/issues/147, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIWKKA7GHW3KP4XB5CG4U3U42TAXANCNFSM5PITDZZQ. You are receiving this because you are subscribed to this thread.
Recursive resolution. UDP queries to the root nameservers are not returned. I have no idea why it's coming back fragmented, and agree 1000% that it shouldn't be especially with an MTU of 1500. dig +trace commands also time out. I believe that our server provider is looking into this for us. TCPDUMP shows NS queries going to the root nameservers and not coming back.
There is a parameter Nameservers that I've set to 127.0.0.1 (I did install Unbound locally as well), but looks like this is only honored if opendkim is compiled without libunbound. All opendkim zypper installations look to have that enabled currently. Worst case scenario, I'll just try and recompile on my own.
Can you email me privately, gushi at gushi dot org, I'd like to get some more information about this that perhaps shouldn't be in public tickets.
On Feb 24, 2022, at 2:32 PM, KeithSieman @.***> wrote:
Recursive resolution. UDP queries to the root nameservers are not returned. I have no idea why it's coming back fragmented, and agree 1000% that it shouldn't be especially with an MTU of 1500. dig +trace commands also time out. I believe that our server provider is looking into this for us. TCPDUMP shows NS queries going to the root nameservers and not coming back.
There is a parameter Nameservers that I've set to 127.0.0.1 (I did install Unbound locally as well), but looks like this is only honored if opendkim is compiled without libunbound. All opendkim zypper installations look to have that enabled currently. Worst case scenario, I'll just try and recompile on my own.
— Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenDKIM/issues/147#issuecomment-1050327686, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIWKKBC4TLLIOLJPSW6FYLU42WWVANCNFSM5PITDZZQ. You are receiving this because you commented.
Poke?
On Feb 24, 2022, at 8:34 PM, Dan Mahoney @.***> wrote:
Can you email me privately, gushi at gushi dot org, I'd like to get some more information about this that perhaps shouldn't be in public tickets.
On Feb 24, 2022, at 2:32 PM, KeithSieman @.*** @.***>> wrote:
Recursive resolution. UDP queries to the root nameservers are not returned. I have no idea why it's coming back fragmented, and agree 1000% that it shouldn't be especially with an MTU of 1500. dig +trace commands also time out. I believe that our server provider is looking into this for us. TCPDUMP shows NS queries going to the root nameservers and not coming back.
There is a parameter Nameservers that I've set to 127.0.0.1 (I did install Unbound locally as well), but looks like this is only honored if opendkim is compiled without libunbound. All opendkim zypper installations look to have that enabled currently. Worst case scenario, I'll just try and recompile on my own.
— Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenDKIM/issues/147#issuecomment-1050327686, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIWKKBC4TLLIOLJPSW6FYLU42WWVANCNFSM5PITDZZQ. You are receiving this because you commented.
Hey Dan,
Sorry - 2nd job's been making my schedule a bit weird the past week. I'll touch base tomorrow via e-mail if that's alright. Thanks!
Hey there, I've replied to your email because I want to help solve your problem, but it's not the job of OpenDKIM to jump through crazy hoops if your dedicated server/VM has unreachable DNS that don't respond in standard ways. My strong recommendation is: if the DNS in your resolv.conf doesn't give you a full view of the internet, run bind or unbound locally, and put 127.0.0.1 in your resolv.conf.
I'm happy to help debug your DNS issues (because I have a vested interest when people are blocking access to the DNS root), but I don't see this as an openDKIM bug.