By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

DKIM: CNAME records not advertising

0

Hello,

I am having an issue with the DKIM CNAME records not advertising through Route53, our other CNAME records work fine.

selector1._domainkey.vetmedux.com will not resolve, but when i run the test it shows it works from within Route53

Is there something I am missing? Should be rather simple to get it going.

Enter image description here

  • Gary Mclean EXPERT
    9 months ago

    Can you share screen shot of cname record?

  • Jtech
    9 months ago

    Yes, just did.

  • Gary Mclean EXPERT
    9 months ago

    Thanks..Answered below

Topics
Networking & Content Delivery
Tags
Amazon Route 53Domain Name System (DNS)
Language
English
Jtech
asked 9 months ago346 views
2 Answers
0

Is this in a private or public zone? If you are running Split Horizon, make sure its in the public zone as internally you could resolve from your VPC if it was created in a Private zone

profile picture
EXPERT
Gary Mclean
answered 9 months ago
  • Jtech
    9 months ago

    Public zone with simple routing

  • Gary Mclean EXPERT
    9 months ago

    Now i am stumped

0

TL;DR answer: I think you had it right to begin with.

selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com is a TXT record, and as such doesn't have an IP address to resolve to, so you can't nslookup it in the normal way. You can get its value by running nslookup -q=txt:

$ nslookup selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com
Server:  dns.google
Address:  8.8.8.8

Name:    selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com


$ nslookup -q=txt selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com   text =

        "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA08RF3VL/RhdOWjNFU0/A+aKMUX0N5fMkE8ZXFFOgIRuYTZ4qGOXOlz7YmNNyVGOEoDYqJeqzQtJ8FHM3J9eYRApS4In0IduS38L/8pCKcfmDwXgMXzfR0k+cIguSWYA+ChCUOJMPHmRUmolaME8aAvVObYlWPDGHpcdfjAqsyPCY5sGrkYn8st5dhYP2I+IVn"
        "WRcr9V4XEFN751dGh9l7QmRcLyoMB2NGfehBV2OdaXxI28epzQOZWDyg3xxJ9QCXSYtrRN3N0y8vfDtut/NCjZA15JqlL+DFcL3zZQR3JecBjb7P2pyTvoEya2i0b7QKG3WWcHXrWTALkSc8T+SqQIDAQAB;"

$

It is completely legal to have a CNAME whose value is the record name of a TXT record, but you're just going to see the same behaviour.

In a domain that I own I've setup a simple TXT record called txtrecord, and then a CNAME pointing to it called cname2txt:

$ nslookup txtrecord.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Name:    txtrecord.[mydomain].net


$ nslookup cname2txt.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Non-authoritative answer:
Name:    cname2txt.[mydomain].net


$ nslookup -q=txt txtrecord.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
txtrecord.[mydomain].net     text =

        "thisisatextrecord"

$ nslookup -q=txt cname2txt.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
cname2txt.[mydomain].net     canonical name = txtrecord.[mydomain].net
txtrecord.[mydomain].net     text =

        "thisisatextrecord"

$

And just for completeness, I've setup record in my domain that mimics what you're trying to do, and it works as described above:

$ nslookup selector1._domainkey.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Non-authoritative answer:
Name:    selector1._domainkey.[mydomain].net


$ nslookup -q=txt selector1._domainkey.[mydomain].net
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
selector1._domainkey.[mydomain].net  canonical name = selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com
selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com   text =

        "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA08RF3VL/RhdOWjNFU0/A+aKMUX0N5fMkE8ZXFFOgIRuYTZ4qGOXOlz7YmNNyVGOEoDYqJeqzQtJ8FHM3J9eYRApS4In0IduS38L/8pCKcfmDwXgMXzfR0k+cIguSWYA+ChCUOJMPHmRUmolaME8aAvVObYlWPDGHpcdfjAqsyPCY5sGrkYn8st5dhYP2I+IVn"
        "WRcr9V4XEFN751dGh9l7QmRcLyoMB2NGfehBV2OdaXxI28epzQOZWDyg3xxJ9QCXSYtrRN3N0y8vfDtut/NCjZA15JqlL+DFcL3zZQR3JecBjb7P2pyTvoEya2i0b7QKG3WWcHXrWTALkSc8T+SqQIDAQAB;"

I should also include that, rather than all this fiddling about with nslookup flags, if you dig the record you can see the correct value is set from the start:

$ dig selector1._domainkey.[mydomain].net

; <<>> DiG 9.16.40-RH <<>> selector1._domainkey.[mydomain].net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27574
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;selector1._domainkey.[mydomain].net.        IN      A

;; ANSWER SECTION:
selector1._domainkey.[mydomain].net. 300 IN  CNAME   selector1-vetmedux-com._domainkey.educationalconcepts.onmicrosoft.com.

;; AUTHORITY SECTION:
onmicrosoft.com.        28      IN      SOA     ns1-208.azure-dns.com. azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 300

;; Query time: 187 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Jul 22 15:11:32 AEST 2023
;; MSG SIZE  rcvd: 226

$

If you don't have the dig command available to you then I can recommend the Google Toolbox interface at https://toolbox.googleapps.com/apps/dig/

profile picture
EXPERT
Steve_M
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content