Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4961
Views
0
Helpful
8
Replies

ESA DKIM tempfail key query timeout hotmail/sharepointonline/outlook

Beheer tno-netwerk
Level 1
Level 1

‎07-24-2018 07:53 AM

Hi,

 

all mail from Microsoft cloud domain generate a DKIM error: tempfail key query timeout

It works fine for most other domains.

 

Errors for:

(d=hotmail.com s=selector1 i=@hotmail.com)

(d=sharepointonline.com s=selector1 i=@sharepointonline.com)

(d=outlook.com s=selector1 i=@outlook.com)

(d=live.com s=selector1 i=@live.com)

 

The TXT records all resolve via a CNAME to the same TXT record (selector1._domainkey.outbound.protection.outlook.com)

 

Key length is 2048 which is allowed in the verification profile

 

Anyone an idea why?

 

Thanks,

Jacco

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Beheer tno-netwerk
Level 1
Level 1

‎07-25-2018 12:55 AM

It seems to be a DNS resolving issue.

On the ESA:

dig txt selector1._domainkey.outbound.protection.outlook.com

gives a SERVFAIL from local resolver (127.0.0.1)

dig txt selector1._domainkey.outbound.protection.outlook.com @x.x.x.x (the configured DNS resolver)

gives the correct response (NOERROR)

 

0 Helpful

Borje Bremnes
Level 1
Level 1

‎05-26-2021 05:26 AM

Anyone have a solution for this problem? As far as I can see there is a bug in ESA when the DKIM key length is 2048. Seems to get a "DKIM: tempfail key query timeout". When key length is 1024 everything works. Tried dig on the ESA and it just times out when trying to resolve dns records with key length 2048. And the same records works perfectly in mxtoolbox.com

 

Best regards

Borje

0 Helpful

SriramV
Cisco Employee
Cisco Employee
In response to Borje Bremnes

‎05-26-2021 06:32 AM

can you try using public DNS (e.g. 8.8.8.8) ?

0 Helpful

Borje Bremnes
Level 1
Level 1
In response to SriramV

‎05-26-2021 06:51 AM

If i specify name server in with dig then it works. Also with the name servers in my list.

 

dig txt selector2._domainkey.domain.com --- connection timed out; no servers could be reached (when key=2048)
dig txt selector2._domainkey.domain.com - works (when key=1024)

dig @8.8.8.8 txt selector2._domainkey.domain.com - works

but
dig @original.dns.server txt selector2._domainkey.domain.com - works also

 

Best regards

Borje

0 Helpful

SriramV
Cisco Employee
Cisco Employee
In response to Borje Bremnes

‎05-26-2021 09:23 AM

Looks like this is a issue from Gateway side, request to rise a TAC case for more investigation 

0 Helpful

Borje Bremnes
Level 1
Level 1
In response to SriramV

‎05-27-2021 03:41 AM

Ok, thanks. Will do that.

 

Best regards

Borje

0 Helpful

heiko_
Level 1
Level 1
In response to Borje Bremnes

‎11-08-2021 11:46 PM

Dear Borje,

 

did you receive feedback from Cisco TAC regarding this issue and what is the recommendation?

I am asking because I am facing the same issue with some domains (i.e. yahoo.com).

I raised a case at cisco TAC and they recommended to add alternate DNS server for the affected domains, which is not practicable in my opinion. I am wondering if it makes sense to use caching resolving server instead of DNS root server generally.

 

Best regard,

Heiko

0 Helpful

Borje Bremnes
Level 1
Level 1
In response to heiko_

‎11-09-2021 12:34 AM

Hi

 

Yes, I had TAC look into it. The problem we had was that the firewall guys had only opened udp/53 and not tcp/53. For large keys the system will automatic switch to dns over tcp. Everything worked after the firewall guys also opened tcp/53 for dns.

 

Best regards

Borje

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents