modoboa icon indicating copy to clipboard operation
modoboa copied to clipboard
verified publisher icon modoboa

Issue with get_authoritative_server Function Failing for DKIM Check

Open jerems6 opened this issue 1 year ago • 6 comments

Impacted versions

  • OS Type: Ubuntu
  • OS Version: 24.04
  • Database Type: PostgreSQL
  • Database version: 16.6
  • Modoboa: 2.3.4
  • Installer used: Yes
  • Webserver: Nginx

Steps to reproduce

  1. Install modoboa using installer
  2. Add a domain, with DKIM enabled, default Key selector (modoboa) and Key length 2048
  3. Generate DKIM key via the command libe /srv/modoboa/env/bin/python /srv/modoboa/instance/manage.py modo manage_dkim_keys ("generate key" was not available via the web UI after the fresh installation)
  4. Add TXT record on the DNS server: modoboa._domainkey.mydomain.com (v=DKIM1;k=rsa;p=XXXXX)
  5. Wait up to 48 hours
  6. Run the command the check the DKIM: /srv/modoboa/env/bin/python /srv/modoboa/instance/manage.py modo check_mx

Current behavior

DKIM status showes "No record found"

Expected behavior

DKIM status shows record found

Proposed Fix

The get_authoritative_server function in Modoboa fails to retrieve the authoritative server during a DKIM check. The issue arises when querying with the domain like "modoboa._domainkey.mydomain.com". An exception is raised with "_domainkey.mydomain.com" of type dns.resolver.NXDOMAIN.

The function should handle dns.resolver.NXDOMAIN exceptions in addition to dns.resolver.NoAnswer, ensuring the logic continues with the domain's parent in such cases.

The issue occurs because dns.resolver.NXDOMAIN is not caught by the except block. This leads to the function halting prematurely instead of continuing to the parent domain.

https://github.com/modoboa/modoboa/blob/2cb6ccebfa0224ef8a3e392ac130e637edf9e4b3/modoboa/admin/lib.py#L208

The except block should also handle dns.resolver.NXDOMAIN to ensure the function works correctly.

New line suggested: except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN) as e:

jerems6 avatar Dec 22 '24 12:12 jerems6

Why does the resolution fail if you properly declared your record?

tonioo avatar Jan 16 '25 09:01 tonioo

Perhaps @arthru if you could enlight us with your DNS knowledge ? :D

Spitfireap avatar Jan 16 '25 11:01 Spitfireap

NXDOMAIN happens when a name could not be resolved

it can happen when asking a NS record for "modoboa._domainkey.mydomain.com"

based on reading this issue, the proposed fix looks good to me, but I did not test it myself

arthru avatar Jan 16 '25 14:01 arthru

Thanks @arthru.

@jerems6 are you able to open a PR ?

Spitfireap avatar Jan 16 '25 18:01 Spitfireap

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 25 '25 01:04 stale[bot]

The above changed fixed the issue I was having...

stovesy avatar Jun 16 '25 13:06 stovesy