08-08-2019 02:26 AM
I'm trying to add a DKIM record in our infoblox appliance for a zone we are authoritative for, but although it gets added, I cannot verify it.
Per the docs, a dkim record is just a txt record so here's what I have tried:
1. In the relevant zone under DNS tab I choose the "+" to add a txt record
2. In the name field I typed: squad_14a2a3 and in the text field I entered: "v=DKIM1; k=rsa; p=MJF----QCD"
(I have also tried in the text field: "k=rsa; p=MJF----QCD" so starting from 'k' instead of 'v')
(I've changed the values slightly for privacy and snipped the 'p' value due to length).
In order to verify, I've tried a couple of online tools: https://dkimcore.org/tools/dkimrecordcheck.html, https://www.dmarcanalyzer.com/dkim/dkim-check
In the above tools, for selector I entered 'squad_14a2a3' and for domain I entered 'mydomain.com' but they return error stating no valid dkim record found.
I have also tried verifying via commandline:
'dig txt squad_14a2a3._domainkey.mydomain.com' but it also doesn't show any dkim record.
Note that the DKIM key itself is valid, as when I check the key at https://dkimcore.org/tools/keycheck.html as: "v=DKIM1; k=rsa; p=MJF----QCD" it returns saying its a valid DKIM key.
What am I missing?
08-08-2019 03:19 AM - edited 08-08-2019 03:20 AM
I do not find anything obviously wrong in your DKIM record (especially with the upper quotes in the beginning and the end). DKIM version (v=DKIM1) is a recommended field but the record is expected to work with/without it.
From my lab:
$ dig @10.192.33.224 squad_14a2a3._domainkey.mydomain.com TXT +short
"v=DKIM1; k=rsa; p=MJF----QCD"
An article which I'd written a while ago can be found at DKIM record fails to work.
It is confusing that your dig does not give you any response. Are you pointing at the right DNS server and does the client fall into the right DNS View?
08-08-2019 04:40 AM
Thanks for your quick response.
When I use +short with dig, I get nothing, if I omit +short, it gives me the normal output with dig version, header, EDNS, Question and Authority Section, but no Answer section.
We have an external view and an internal view (DNS views) for the same zone, the client should be in the internal view. I have added the record to the zone in both views and also tried with internal and external servers explicitly in the dig query, but still the same. I also tried adding t=y as shown in the article you mentioned: https://support.infoblox.com/app/answers/detail/a_id/4954/kw/DKIM, still no luck....
Our version is 8.3.4-381259, I have also tried to restart services a few times.
Not sure what is wrong.
08-08-2019 06:39 AM
Could you please edit the zone and verify the name servers/name server group it is using?
Then please login to the CLI of one of the name servers (preferably the primary) and perform
"dig @127.0.0.1 squad_14a2a3._domainkey.mydomain.com TXT"?
If that works, then "dig @LAN1/VIP squad_14a2a3._domainkey.mydomain.com TXT"
If that also works, then login to the secondary server CLI (or whichever server you believe is broken) and perform the same. If it doesn't work, and if it is a secondary server, then you would want to verify whether this server is receiving zone data from the primary via grid replication or zone transfer.
If it is set to "Zone Transfer", you would want to verify whether zone transfer for the zone is working properly.