Maintained by: NLnet Labs

FW: Validation failure signature crypto failed

W.C.A. Wijngaards
Tue Jan 24 16:56:05 CET 2017


Hi Jac,

I don't really know about postfix or email, but 'signature crypto
failed' means that the data did not match the signature.  Thus SERVFAIL
is the correct rcode.

It means that the contents of the TXT record have been altered, and the
text in it does not match the RRSIG digital signature.  If this was a
spurious technical failure, it could be due to upper/lowercase somehow
getting changed (inside the text record), or people editing the contents
by hand without running the signer again.

Best regards, Wouter

On 24/01/17 16:44, Jac Backus via Unbound-users wrote:
>  
> 
> Hello,
> 
>  
> 
> I have a FreeBSD server with Unbound .1.5.7 as a resolver.
> 
>  
> 
> I use Postfix for mail and postfix-policyd-spf-perl to check spf.
> 
> My problem is, that mail from a certain domain is refused.
> 
>  
> 
> When I test, I see this:
> 
>  
> 
> # perl /usr/local/libexec/postfix-policyd-spf-perl
> 
> request=smtpd_access_policy
> 
> protocol_state=RCPT
> 
> protocol_name=SMTP
> 
> helo_name=mail.acme.com
> 
> queue_id=8045F2AB23
> 
> sender=j.doe at acme.com
> 
> recipient=me at company.com
> 
> client_address=1.1.1.1
> 
> client_name=mail.company.com
> 
>  
> 
> action=DEFER_IF_PERMIT SPF-Result=mail.acme.com: 'SERVFAIL' error on DNS
> 'TXT' lookup of 'mail.acme.com'
> 
>  
> 
> This is in unbound.log:
> 
>  
> 
> Reason for the SERVFAIL:
> 
> Jan 24 13:44:25 unbound[487:0] info: response for mail.acme.com. TXT IN
> 
> Jan 24 13:44:25 unbound[487:0] info: reply from <acme.com.> 2.2.2.2#53
> 
> Jan 24 13:44:25 unbound[487:0] info: query response was ANSWER
> 
> Jan 24 13:44:25 unbound[487:0] info: Validate: message contains bad rrsets
> 
> Jan 24 13:44:25 unbound[487:0] info: validation failure <mail.acme.com.
> TXT IN>: signature crypto failed from 2.2.2.2
> 
>  
> 
> Is this a valid SERVFAIL?
> 
>  
> 
> Could some help me? Thanks.
> 
>  
> 
>  
> 
> With kind regards,
> 
>  
> 
> Jac
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170124/b036b625/attachment.sig>