07-16-2019 05:41 AM
I am having an issue with AOL emails that fail DKIM with the result:
DKIM: tempfail key query timeout (d=aol.com s=a2048 i=@aol.com)
My ironports are set to use the root dns servers and if I change this to query my isp servers then I don't receive this failure. When I issue a dig from the cli I receive the following so I think its something with the query for the txt record to the aol domain using the root dns servers.
dig txt a2048._domainkey.aol.com
; <<>> DiG 9.10.1 <<>> a2048._domainkey.aol.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44250
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;a2048._domainkey.aol.com. IN TXT
;; Query time: 677 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 15 17:10:16 EDT 2019
;; MSG SIZE rcvd: 42
Has anyone else experienced this?
07-16-2019 07:00 AM
This is more of your internal DNS Server issue, what kind of DNS Server you have in place ?
if using MS DNS Servers here is some reference :
https://support.symantec.com/us/en/article.TECH123082.html
07-16-2019 07:53 AM
Actually I am not using internal DNS. I have the option checked in the ironports to use root dns and this is when the failure occurs. If I use internal DNS or the ISP DNS the the query to the txt record works.
07-16-2019 09:06 AM
personally i would not rely on root DNS Servers, if you like to be secure either i use Locally Trusted DNS or ISP provided DNS Servers.
07-16-2019 11:32 AM
What I am seeing now is that this is just not AOL domains. In wireshark the txt query response includes additional nameservers and it appears that the ironport is stopping after so many nameserver replies.
07-17-2019 07:10 AM
I think I remember reading somewhere that the Cisco best practice was to set the ironport to use root dns servers. From the best that I can tell, the ironport uses the root dns servers to get the name servers of the domain in the email and then it queries that domains nameservers for the DKIM txt record. It appears that if the txt record returns additional nameservers in the answer then the ironport will query the additional nameservers for the DKIM key even if it received it in the first response. I opened a case with TAC to see if this is a bug. I think any domain with 5 or more nameservers creates a tempfail on the DKIM query.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide