Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue with get_authoritative_server Function Failing for DKIM Check #3388

Open
jerems6 opened this issue Dec 22, 2024 · 4 comments
Open

Issue with get_authoritative_server Function Failing for DKIM Check #3388

jerems6 opened this issue Dec 22, 2024 · 4 comments

Comments

@jerems6
Copy link

jerems6 commented Dec 22, 2024

Impacted versions

  • OS Type: Ubuntu
  • OS Version: 24.04
  • Database Type: PostgreSQL
  • Database version: 16.6
  • Modoboa: 2.3.4
  • Installer used: Yes
  • Webserver: Nginx

Steps to reproduce

  1. Install modoboa using installer
  2. Add a domain, with DKIM enabled, default Key selector (modoboa) and Key length 2048
  3. Generate DKIM key via the command libe /srv/modoboa/env/bin/python /srv/modoboa/instance/manage.py modo manage_dkim_keys ("generate key" was not available via the web UI after the fresh installation)
  4. Add TXT record on the DNS server: modoboa._domainkey.mydomain.com (v=DKIM1;k=rsa;p=XXXXX)
  5. Wait up to 48 hours
  6. Run the command the check the DKIM: /srv/modoboa/env/bin/python /srv/modoboa/instance/manage.py modo check_mx

Current behavior

DKIM status showes "No record found"

Expected behavior

DKIM status shows record found

Proposed Fix

The get_authoritative_server function in Modoboa fails to retrieve the authoritative server during a DKIM check. The issue arises when querying with the domain like "modoboa._domainkey.mydomain.com". An exception is raised with "_domainkey.mydomain.com" of type dns.resolver.NXDOMAIN.

The function should handle dns.resolver.NXDOMAIN exceptions in addition to dns.resolver.NoAnswer, ensuring the logic continues with the domain's parent in such cases.

The issue occurs because dns.resolver.NXDOMAIN is not caught by the except block. This leads to the function halting prematurely instead of continuing to the parent domain.

except dns.resolver.NoAnswer as e:

The except block should also handle dns.resolver.NXDOMAIN to ensure the function works correctly.

New line suggested:
except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN) as e:

@tonioo
Copy link
Member

tonioo commented Jan 16, 2025

Why does the resolution fail if you properly declared your record?

@Spitfireap
Copy link
Member

Perhaps @arthru if you could enlight us with your DNS knowledge ? :D

@arthru
Copy link
Contributor

arthru commented Jan 16, 2025

NXDOMAIN happens when a name could not be resolved

it can happen when asking a NS record for "modoboa._domainkey.mydomain.com"

based on reading this issue, the proposed fix looks good to me, but I did not test it myself

@Spitfireap
Copy link
Member

Thanks @arthru.

@jerems6 are you able to open a PR ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants