Unable to resolve DKIM TXT record

I've installed and configured OpenDKIM and SPF TXT records on Ubuntu 18.04 LTS. However, I'm unable to resolve my DKIM TXT record. I'm running NSD as my DNS and configured as mydomain.com.zone.

My SPF record for mydomain.com returns OK:

[email protected]:# nslookup -q=txt mydomain.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
mydomain.com text = "v=spf1 mx a ip4:1.2.3.4 -all"

Authoritative answers can be found from:  

However, my DKIM record for mydomain.com returns no answer:

[email protected]# nslookup -q=txt mail._domainkey.mydomain.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
*** Can't find mail._domainkey.mydomain.com: No answer

Authoritative answers can be found from:

dig output against Public DNS

[email protected]:# dig @8.8.8.8 mydomain.com TXT +short
"v=spf1 mx a ip4:1.2.3.4 -all"
[email protected]:# dig @8.8.8.8 mail._domainkey.mydomain.com TXT +short
[email protected]:#

Zone file:

[email protected]:#cat /etc/nsd/zones/mydomain.com.zone

$ORIGIN mydomain.com.
$TTL 1800

@        IN         SOA         ns1.mydomain.com.     domains.mydomain.com. (
                                2018050101
                                3600
                                900
                                1209600
                                1800
                                )

@        IN         NS          ns1.mydomain.com.
@        IN         NS          ns2.mydomain.com.
@        IN         A           1.2.3.4
@        IN         MX          10 mail.mydomain.com.
@        IN         TXT         "v=spf1 mx a ip4:1.2.3.4-all"

mail._domainkey     TXT         (
                                 "v=DKIM1\059 h=sha256\059 k=rsa\059 p=ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                                 "ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJK" )

ns1      IN          A           1.2.3.4
ns2      IN          A           1.2.3.4
www      IN          A           1.2.3.4
ftp      IN          A           1.2.3.4
mail     IN          A           1.2.3.4
*        IN          A           1.2.3.4

Everything OK here:

[email protected]:# nsd-checkzone mydomain.com mydomain.com.zone
zone mydomain.com is ok

However, running opendkim-testkey, it returns a "No key" error:

[email protected]:# opendkim-testkey -d mydomain.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.mydomain.com'
opendkim-testkey: No key

Configuration output:

[email protected]:# tree /etc/opendkim
/etc/opendkim
|-- keys
|   `-- mydomain.com
|       |-- mail.private
|       `-- mail.txt
|-- key.table
|-- signing.table
`-- trusted.hosts
2 directories, 5 files

[email protected]:/# cat /etc/opendkim/key.table
mail._domainkey.mydomain.com mydomain.com:mail:/etc/opendkim/keys/mydomain.com/mail.private

[email protected]:/# cat /etc/opendkim/signing.table
*@mydomain.com mail._domainkey.mydomain.com

[email protected]:/# cat /etc/opendkim.conf
Syslog yes
SyslogSuccess Yes
LogWhy Yes
UMask 002
UserID opendkim:opendkim
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
ExternalIgnoreList refile:/etc/opendkim/trusted.hosts
InternalHosts refile:/etc/opendkim/trusted.hosts
Canonicalization relaxed/simple
Mode sv
ADSPAction continue
AutoRestart yes
AutoRestartRate 10/1M
SignatureAlgorithm rsa-sha256
Socket inet:[email protected]
PidFile /var/run/opendkim/opendkim.pid
OversignHeaders From

1 Reply

You must reload nsd-control reconfig to allow DKIM TXT changes take effect. Check nsd.conf and ensure that zone entries point to the correct zone files.

[email protected]:/etc/nsd# cat nsd.conf
server:
        ip-address: 127.0.0.1
        ip-address: 1.2.3.4
        username: nsd
        hide-version: yes
        zonesdir: "/etc/nsd/zones/"
        logfile: "/var/log/nsd.log"
        pidfile: "/run/nsd/nsd.pid"

# zone entry for mydomain.com
zone:
        name: mydomain.com
        zonefile: mydomain.com.zone


[email protected]:/etc/nsd# vim nsd.conf
[email protected]:/etc/nsd# nsd-control reconfig
reconfig start, read /etc/nsd/nsd.conf
ok
[email protected]:/etc/nsd# opendkim-testkey -d mydomain.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.mydomain.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

[email protected]:/etc/nsd# dig @8.8.8.8 mail._domainkey.mydomain.com TXT +short
"v=DKIM1; h=sha256; k=rsa; p=ABCDEFGHIJKLMNOPQRSTUVWXYZ" 
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"

[email protected]:/etc/nsd# nslookup -q=txt mail._domainkey.myhost.com 
ns1.myhost.com
Server:         ns1.myhost.com
Address:        1.2.3.4#53

mail._domainkey.mydomain.com  text = "v=DKIM1; h=sha256; k=rsa; 
p=ABCDEFGHIJKLMNOPQRSTUVWXYZ" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct