Paul Stead @ 17/9/2022 15:04 -0300 dixit:
I was able to replicate this using an Unbound setup to not respond to
UDP messages larger that 1500.
In the first instance I'd suggest checking your DNS server setup that
it's able to respond to UDP packets larger than ~1552 - 4096 is default
on Unbound -
server:
max-udp-size: 4096
I can confirm that AskDNS (and other DNS requests going via
async->bgsend_and_start_lookup and resolver) don't fallback to TCP if
the truncated bit is set - this is hardcoded in the DnsResolver.pm
module. I have had some success in writing a patch for this which I'll
submit to BZ after some cleanup.
Paul
Thanks.
I have been digging (pun intended :) and I see that askdns does fall
back to TCP, but does not try to resolve the redirected SPF domain, I
don't know if that's because of the number of TXT RRs involved or what.
I've seen a bug
(https://www.mail-archive.com/search?l=d...@spamassassin.apache.org&q=subject:%22%5C%5BBug+7777%5C%5D+askdns+problem+with+multi%5C-valued+resource+records%22&o=newest)
related to not using multiple RRs values, but that seems not present on
3.4.6.
-Carlos
On Fri, 16 Sept 2022 at 22:05, Carlos G Mendioroz via users
<users@spamassassin.apache.org <mailto:users@spamassassin.apache.org>>
wrote:
Hi,
I'm facing a problem with SA, that seems to be related to askdns.
Mail server on Ubuntu 22.04 LTS, spamassassin 3.4.6 via exim4. Local
bind9 DNS server.
Mail received from webex.com <http://webex.com> does not get SPF
checked, which in turn
triggers a local rule:
meta DMARK_REJECT !(DKIM_VALID_AU || SPF_PASS || NO_RELAYS)
Webex does not use DKIM, but it has a kind of complex SPF setup, that
may be ok (not 100% sure, but they are cisco after all ?)
After enabling debug I can see that the TXT query returns 0 RRs:
Sep 16 11:45:39 doors spamd[462278]: askdns: answer received, rcode
NOERROR, query IN/TXT/webex.com <http://webex.com>, answer has 0 records
while dig has a different idea:
dig -t TXT webex.com <http://webex.com>
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> -t TXT webex.com
<http://webex.com>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56230
;; flags: qr rd ra; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b7c24959678df920010000006324d83008d33f7982f281d1 (good)
;; QUESTION SECTION:
;webex.com <http://webex.com>. IN TXT
;; ANSWER SECTION:
webex.com <http://webex.com>. 300 IN TXT
"google-site-verification=qXk-s_bdPaqiuaDN9jJCQjvNyw_hVkxXDhkm-1mZn14"
webex.com <http://webex.com>. 300 IN TXT
"slimtesttxt20170824002"
webex.com <http://webex.com>. 300 IN TXT
"QuoVadis=c1bf1f71-e21f-4ef5-92d9-3285c488767a"
webex.com <http://webex.com>. 300 IN TXT
"google-site-verification=BEWshakJYRMouwSQKX3vk5144-qUL1wwUWLU-XtfQ"
webex.com <http://webex.com>. 300 IN TXT
"slimtesttxt20170824001"
webex.com <http://webex.com>. 300 IN TXT
"MS=ms74589643"
webex.com <http://webex.com>. 300 IN TXT
"google-site-verification=BEWshakJYRMouwSQKX_3vk5_144-qUL1wwUWLU-XtfQ"
webex.com <http://webex.com>. 300 IN TXT
"identrust_validate=5g4Ebjbv8fCTROWcobqHmDRBtTU+zBMHM1AiuGdcCbtd"
webex.com <http://webex.com>. 300 IN TXT
"MS=ms61160488"
webex.com <http://webex.com>. 300 IN TXT
"QuoVadis=5a740d9e-6664-4d4c-8d87-716da9d530a7"
webex.com <http://webex.com>. 300 IN TXT
"MS=ms67549965"
webex.com <http://webex.com>. 300 IN TXT
"identrust_validate=08N0ASND+yUGXL08IVK8mdMWNhvz1ZqiXe6WCC5eI2e/"
webex.com <http://webex.com>. 300 IN TXT
"v=spf1
redirect=_spf.webex.com <http://spf.webex.com>"
webex.com <http://webex.com>. 300 IN TXT
"lqucp0f6u7alqi7kgrjo5vsov5"
webex.com <http://webex.com>. 300 IN TXT
"QuoVadis=eed4c791-aa21-4b45-8c91-2d83a93af871"
webex.com <http://webex.com>. 300 IN TXT
"lrg2pr6u4ubansuv47jtmmfd3p"
webex.com <http://webex.com>. 300 IN TXT "
ms93683787.msv1.invalid"
webex.com <http://webex.com>. 300 IN TXT
"amazonses:n3XkGYyvmC8SrhX+CqICjY4eWnyKFwPo6mdHTMsmeu4="
webex.com <http://webex.com>. 300 IN TXT
"9cef3rr776cnjs1cu53q6hrium"
webex.com <http://webex.com>. 300 IN TXT
"google-site-verification=3NhfQ1u_2ogGy3CA8qlIfFtMlW_nhx-VO85vAhT15a0"
webex.com <http://webex.com>. 300 IN TXT
"identrust_validate=bCd4oCoacz6pZ8C8/IRU0rItc1avij7uuIRBeMwUxa8T"
webex.com <http://webex.com>. 300 IN TXT
"google-site-verification=t2i1Swk8XPQDj6Llz_4Uxu3OKL3wfO_aaxYylFmQ8MU"
webex.com <http://webex.com>. 300 IN TXT
"MS=ms93683787"
webex.com <http://webex.com>. 300 IN TXT
"google-site-verification=Z4Iwv_W8wkGKrlaPKLdcm3C_LDCydAJD6z3L1MAP7DI"
webex.com <http://webex.com>. 300 IN TXT
"google-site-verification=fHXTAHXgtW5_Dzt4PHZKGF2PAI0r6PEHqmHJbkxo4_k"
webex.com <http://webex.com>. 300 IN TXT
"google-site-verification=D1PXZV2EBUXGvgJdUWr3cahNprUgckDpzo8MgniDQHk"
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Fri Sep 16 17:10:24 -03 2022
;; MSG SIZE rcvd: 1552
which leads me to believe askdns might not support tcp for resolving ?
In any case, help ?
TIA
--
Carlos G Mendioroz <t...@huapi.ba.ar <mailto:t...@huapi.ba.ar>>
LW7 EQI Argentina
--
Carlos G Mendioroz <t...@huapi.ba.ar> LW7 EQI Argentina
