Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2243
Views
0
Helpful
3
Replies

ESA Domain Profile Test - Warning DNS Lookup Failure

Jewelles18
Level 1
Level 1

‎08-30-2019 08:31 AM

I am setting up DKIM as per Cisco's instructions.  I have generated a key, domain profile and put the ESA generated DNS txt into my DNS.  If I test the DNS for DKIM from and external website the DKIM entry is seen.  However, if I use the Test link in the ESA Domain Profile I get 'Warning DNS Lookup Failure.  Cisco's instructions are very specific about giving DNS time to propagate but it has been 24 hrs.  How does the test work? What are the likely reasons for the error (given that external web sites can see the DKIM entry)?

 

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎08-30-2019 09:06 AM

Its hitting the DNS servers that the ESA is using...

So if you're using split dns for your domain and your ESA is pointed at your internal DNS servers, this will fail unless you set up the records on your internal dns servers too... which makes it hard to really test that its right...



Point your ESA's DNS servers at some external DNS servers,(submit/commit) and then test this.






0 Helpful

Jewelles18
Level 1
Level 1
In response to Ken Stieers

‎08-30-2019 09:44 AM

You are quite right, the ESA was probably using the internal DNS (priority 20) so I promoted an external DNS server to (15), and cleared the DNS cache.  But, I am still getting the same error.  I have checked and the external DNS is definitely active.

0 Helpful

ppreenja
Cisco Employee
Cisco Employee

‎09-01-2019 08:57 PM

Hello Jewelles18,

For what I understand about the error is that your ESA is trying to look for the domain key (public key) in your DNS records, but the DNS is not giving a response. In other words, this could mean that the TXT record for your DKIM public key is not published correctly in your DNS domain.

I believe that there is a warning generated to you as “warning – DNS lookup failure: abab._domainkey.xyz.com” while you clicked test on the DKIM signing profile. This ensures that the valid DNS record is not populated in your domain’s DNS record as suggested by the ESA.

Please click "Generate" in the column "DNS Text Record" for the signing profile [ xyz_com ] and copy the DNS record that is generated. It should look similar to the following:
abab._domainkey.xyzs.com. IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMaX6wMAk4iQoLNW........Wgktzc1q7zIgWM8usHfKVWFzYgnattNzyEqHsfI7lGilz5gdHBOvhbJJJb24" "KtGrTtvIxJM8pWeJm6pg6....cy0FypS2azkrl9riJcWWDvu38JXFL/eeYfg......GaWx1bWjepyNQZ1PrS6Zwr7.......uCid5JAq0z+IcH4KkHqUueSGuGhwIDAQAB;"

Please copy and paste the value in the DNS record and try again.

I hope the above info is helpful.

Cheers,
Pratham
0 Helpful
Customers Also Viewed These Support Documents