Sorry, now i got it. Thanks for the explaination.
It seems to come the way you registered the dkim
Please compare your record to mine
your DKIM record
[root@ns7loc6 ~]# /usr/bin/dig @1.1.1.1 +short +tries=1 +retry=0 +time=2 default._domainkey.domain.com TXT
"v=DKIM1; k=rsa;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0LJtESK0G5LJ3euhIpLRyXlJyVOrw7exuztpOurn+/CYIYrpKVyBEdYBwlU2fOpSITJotK6dL2oOuhVnfCt6DhtSrTlA+jAvbHFsAraOm50dONtA9UllyKqjBPjYUP3VgPfTrHdC0r6oz1VcHb8JEuY9aDMb5EG8p155ZUpsrPYLn/m2Fq6nf5w/0g1/liPF3zFdLY8N61Vfgj3o" "X1dIhGGKVECPapA4Nh2tP+tznVaD6saMpH9POjHAmOPZ56ZaCrbdyChPKXh6ntwscb75QILhjuvLnmkfKsanO3bjJrIRl9tR25RhOEGnxwzAzqrxGvh+wj+bd2tDvVsLYcmiQIDAQAB"
my DKIM record
[root@ns7loc6 ~]# /usr/bin/dig @1.1.1.1 +short +tries=1 +retry=0 +time=2 default._domainkey.domain.com TXT
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnDHXY9axEEi2mNiPJarErUkCdnuCIo3pLidherVt+6z6NHrB/Fwc2BWwK97qH9APzbo4cBhm/wtbXAiRnNlcTBMkG4P4lm09a/dR6spVsJ72QMrr+V5M04sLQ+76Ru4K6Pj4iyHJmBlAvORS3v4tpoZgXipi4o9qmbPvcT7JzXucICZ6q5gSKuyQRrKlZKL55" "TR7GWTCJ6VVLhbis74HlMNWfwjhJmcz3z1zMnNKHsDSaQfLplDBi5c3gZFG8hJ7mBVA1fGZHD4SeDv5mSYQrBgFT5Hgij67eSmYtZ5GcMPyn7q3aobCDXHvWVTFQD1x5SNIJohYTBuPQ7SfRNs17QIDAQAB;"
your record
"v=DKIM1; k=rsa;"
my record
"v=DKIM1; k=rsa;
For what I could see with two DNS registar (IONOS and OVH) I can see the same way to set the DKIM obviously without errors for our status
"v=DKIM1; k=rsa; p=MIIBIjAN.......................................;"
Maybe the DNS registar are tolerant or maybe we have a bug inside our regex but AFAIK you are the only one with this issue
2 Likes
Thank you for looking into it. What do you propose/suggest? When I look into the record in the dns editor where I can create records, I do not see any "
The value/content is: v=DKIM1; k=rsa; p=MIIB…
Should I open a ticket at the provider? And - if so - what to exactly state?
I am the only one because probably noone else is using this registar with a nethserver. I cannot determine if it is an error on the registar side or if its a bug inside neth regex. Please advice. I mean at least I know that the mails are considered correctly signed with dkim, but I’d like to know if I should ask the registar or if neth devs will have to fix this inside neth.
Or would you suggest to just ignore?
Do not know, DNS are hell, each registar gets its default.
I tried moving /etc/opendkim away and reinstalling opendkim to see if it recreates a new key but that does not work either, as the key remains empty then. Is there a way to reset configuration I mean maybe the first time I created the key something could have gone wrong.
Not a key issue, just how the key is returned by dig and how we compare it. Try to see if you can set it again to your registar.
did that multiple times. Once tried to copy the first option, once the second one (raw form). Tried putting everything in between " " No success.
another example from digital ocean
[root@ns7loc6 ~]# /usr/bin/dig @1.1.1.1 +short +tries=1 +retry=0 +time=2 default._domainkey.nethesis.it TXT
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyU2sNCyZ5SIGiC8kXRVE7ntL2WYr24KniGWxfyXfJkRY2jYKCE+LmmDPVNRnEamGbx2zst7n9WtD12UWLr6qJrfTVmRZah9KyHUfYD/a3/2xPI4cCHTv29WXs0gD73VPQ/CJ7tq+GyPWGVjTe7r13X05qTxT63Pd95UlsW9XKfsEUEDfqhIr4Ngli9ErKB5Wq" "fsgiP0zegkO0QoX8wadi0NbP43W8kpd2y7q46ZfUWy11ls9m3xeHr2I6uzbeDPMsfW61vdA6s1tBqB8Tvc2U1y9pO/CQHFp7LqRgBnh0ETovrx8mUl44QZx3oSZxLLEIz/n5qWV/xJ0qg9cILpZIwIDAQAB;"another example from o2switch (little french registar)
[root@ns7loc6 ~]# /usr/bin/dig @1.1.1.1 +short +tries=1 +retry=0 +time=2 default._domainkey.aru2l.net TXT
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgvGUYXbecltc41hFGbseMLU239FEQlj7IzHehCK43c9NwD+MYlBIIPzUL6pNs6zogUabCFz/DawqWwhEg1nn8RR5dm2Dc0KKE0RsRQqGJpvn24S46y/+cQ7zqrMrldcUTFtsLuIIEgLORqM1MqnHZeD6iRdTdNBw5kfFyA/Mzta8Ncxex9d3PT2vnIOwB7Df" "S72WpGv1vhaqbGdMyDbhvoCE7j/1aV68+jC9ZJ3yTrV6SxsFzZzoLs70I+Ya6J0U38hFCizE1/RVr9oGn2nljKWdem73T82pfZI4+JKD0B1mpij64fL/zWAuDTjjWfD2XRDZWTQWh+BdQxHN2VeaQIDAQAB;"When you set it you do not need to add it
you can try and come back with the answer but I feel you have an issue and I am not sure we have to fix it
Thats what I don’t understand, where the double quotes in the raw form copy in cockpit come from then? They are already there in cockpit and correspond to what gets replied by dig. Thats why I thought maybe worth a try to reset opendkim somehow and try with a new configuration/new key.
Edit - I only see the " in raw option below not the one you printscreened.
But I certainly can open a ticket and see what they say.
Did you already try to enter the raw format (starting with the first double quote) ?
Maybe the missing space before the double quote makes problems?
OK, that looks wrong, they seem to add the double quotes, so you need the paste the record data.
Good idea.
1 Like
1 Like
Thanks dnutan and all others writing in this post and looking into it. I wait for the reply of the registar to the ticket I opened. Either they can remove the double quotes, or they will answer that they are correct and I’d expect that there will be a fix in nethserver. In any case thanks a lot for your valuable support, guys 
2 Likes
You can live with it, it is just the regex of the UI who do not match how you recorded the dns TXT field. It is exact you can read in the /etc/opendkim/default.txt some double-quote but opendkim needs it to split the key with 1024 length. However you do not need to put there in the DNS registar
If you did it you are wrong
Like you can see your registar or you (at the end you set it yourself) make an issue that we cannot (at the moment) see in other DNS registar.
In fact we split the first double quote in our regex and we compare with what we found from dig (by requesting your dns registar). Mail-tester does differently it compares the signature of the email you sent with the public key you can retrieve by dig.
Two different ways.
lets wait the dns registar answer
Same here. The printscreen is from neth-cockpit.
Btw. The registar replied that they don’t see a problem first. After insisting they said they recreated the record and now we have to wait for 6 hours and then check again. They confirmed that in the webportal everything was set correctly and suspect some problem with formatting while copying. They say there was an error copying the values in PowerShell with an additional , char that should have not been there and suspect that something similar could have happend with the " chars.
Anyway - dig @their server and @8.8.8.8 already looking promising @1.1.1.1 still showing the old values. Nethserver still saying records not matching, but hopefully just a matter of time. DNS of this nethserver is my piHole which hast 1.1.1.1 configured as upstream dns srv.
1 Like