Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1561
Views
0
Helpful
5
Replies

DKIM query to AOL domain

Phil Bradley
Level 4
Level 4

‎07-16-2019 05:41 AM

I am having an issue with AOL emails that fail DKIM with the result:

DKIM: tempfail key query timeout (d=aol.com s=a2048 i=@aol.com)

 

My ironports are set to use the root dns servers and if I change this to query my isp servers then I don't receive this failure. When I issue a dig from the cli I receive the following so I think its something with the query for the txt record to the aol domain using the root dns servers.

dig txt a2048._domainkey.aol.com


; <<>> DiG 9.10.1 <<>> a2048._domainkey.aol.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44250
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;a2048._domainkey.aol.com. IN TXT

;; Query time: 677 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 15 17:10:16 EDT 2019
;; MSG SIZE rcvd: 42

 

Has anyone else experienced this?

 

1 person had this problem
Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎07-16-2019 07:00 AM

This is more of your internal DNS Server issue, what kind of DNS Server you have in place ?

 

if using MS DNS Servers here is some reference :

 

https://support.symantec.com/us/en/article.TECH123082.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Phil Bradley
Level 4
Level 4
In response to balaji.bandi

‎07-16-2019 07:53 AM

Actually I am not using internal DNS. I have the option checked in the ironports to use root dns and this is when the failure occurs. If I use internal DNS or the ISP DNS the the query to the txt record works.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Phil Bradley

‎07-16-2019 09:06 AM

personally i would not rely on root DNS Servers, if you like to be secure either i use Locally Trusted DNS or ISP provided DNS Servers.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Phil Bradley
Level 4
Level 4
In response to balaji.bandi

‎07-16-2019 11:32 AM

What I am seeing now is that this is just not AOL domains. In wireshark the txt query response includes additional nameservers and it appears that the ironport is stopping after so many nameserver replies. 

0 Helpful

Phil Bradley
Level 4
Level 4
In response to balaji.bandi

‎07-17-2019 07:10 AM

I think I remember reading somewhere that the Cisco best practice was to set the ironport to use root dns servers. From the best that I can tell, the ironport uses the root dns servers to get the name servers of the domain in the email and then it queries that domains nameservers for the DKIM txt record. It appears that if the txt record returns additional nameservers in the answer then the ironport will query the additional nameservers for the DKIM key even if it received it in the first response. I opened a case with TAC to see if this is a bug. I think any domain with 5 or more nameservers creates a tempfail on the DKIM query.

0 Helpful
Customers Also Viewed These Support Documents