OpenDKIM key retrieval failed - query timed out

[aminvakil]

Context

I've seen this in logs
key retrieval failed (s=20161025, d=gmail.com): '20161025._domainkey.gmail.com' query timed out
Searched the issues and found #1204 which has been fixed by #1205, checked nameserver in /etc/resolv.conf which is 127.0.0.11 and fine, installed dnsutils in container and executed this command:

docker-compose exec mail dig txt 20161025._domainkey.gmail.com

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> txt 20161025._domainkey.gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22668
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;20161025._domainkey.gmail.com.	IN	TXT

;; ANSWER SECTION:
20161025._domainkey.gmail.com. 289 IN	TXT	"k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqR" "tqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpbq4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB"

;; Query time: 4003 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Mon May 18 08:45:35 UTC 2020
;; MSG SIZE  rcvd: 473

This shows me that dns is ok and google is OK too:)

Why can't OpenDKIM retrieve key yet?

What is affected by this bug?

Check DKIM on receiving mails.

When does this occur?

Sometimes. I have both this in my logs showing sometimes it fails:
Fail:

mail          | May 18 07:16:46 mail opendkim[214]: 509E1380DC00: mail-pj1-f46.google.com [209.85.216.46] not internal
mail          | May 18 07:16:46 mail opendkim[214]: 509E1380DC00: not authenticated
mail          | May 18 07:16:51 mail opendkim[214]: 509E1380DC00: key retrieval failed (s=20161025, d=gmail.com): '20161025._domainkey.gmail.com' query timed out

Success:

mail          | May 18 08:36:51 mail opendkim[214]: 53C3A380DC00: [172.21.0.1] [172.21.0.1] not internal
mail          | May 18 08:36:51 mail opendkim[214]: 53C3A380DC00: not authenticated
mail          | May 18 08:36:55 mail opendkim[214]: 53C3A380DC00: DKIM verification successful
mail          | May 18 08:36:55 mail opendkim[214]: 53C3A380DC00: s=20161025 d=gmail.com SSL 

Also:

Fail:

mail          | May 18 08:47:14 mail opendkim[214]: AF47A380DC05: o2.email.medium.com [167.89.47.62] not internal
mail          | May 18 08:47:14 mail opendkim[214]: AF47A380DC05: not authenticated
mail          | May 18 08:47:19 mail opendkim[214]: AF47A380DC05: key retrieval failed (s=m1, d=medium.com): 'm1._domainkey.medium.com' query timed out

Success:

mail          | May 18 08:40:37 mail opendkim[214]: 55CDD380DC00: o10.email.medium.com [149.72.133.59] not internal
mail          | May 18 08:40:37 mail opendkim[214]: 55CDD380DC00: not authenticated
mail          | May 18 08:40:41 mail opendkim[214]: 55CDD380DC00: DKIM verification successful
mail          | May 18 08:40:41 mail opendkim[214]: 55CDD380DC00: s=m1 d=medium.com SSL 

Your Environment

• Amount of RAM available: 2GB
• Mailserver version used: v7.0.0 until this commit f19fb9a
• Docker version used: Docker version 19.03.8, build afacb8b
• Environment settings relevant to the config: Please tell me if there is something specific required to check this issue

It's a vm installed on a Proxmox hypervisor in hetzner datacenters and I'm using hetzner DNSs which they have not been with any issue since a long time I'm using, also I've checked https://www.hetzner-status.de/en.html and there isn't any problem related to this DNS servers.

[youtous]

Hi,
Could you try with other DNS? https://docs.docker.com/compose/compose-file/#/dns 1.1.1.1 / 1.0.0.1 and see if the error persists.

A complement information (not related to DKIM), it's advised to use local dns such as unbound for caching DNS queries and not be limited by some rate limit (zenhaust, etc) which could happen when you use shared dns.

[aminvakil]

@youtous Thanks!

That was the issue, after changing my dns servers to 1.1.1.1 / 1.0.0.1 in docker-compose, I tried 5 times emailing from gmail and each time dkim is valid.

As I haven't seen any other problem with hetzner dns servers I will change docker-compose dns only, thanks again.