Windows DNS - TC bit wrongly set

jAmac 0 Points de réputation
2024-09-09T14:13:59.0666667+00:00

Hi all,

We have specific cases where DKIM validation is failing on our AntiSpam.

Here's the use case troubleshooted by making network traces :

  1. Same email is sent via different IP addresses to multiple recipients, as a result, the same DNS query for DKIM is made for each recipient in a very short timeframe in a row (<1ms sometimes).
  2. Windows DNS server relays a single DNS request to public DNS, and gets a complete answer.
  3. In that context, if the DNS response size is greater than 512 bytes (UDP truncation triggered, most of the time because data returned is a CNAME + the related TXT), the generated DNS responses are as follows (e.g. with 3 recipients) :

#1 Windows DNS Response to AntiSpam (only CNAME, TC bit 0) => DKIM failure for the AntiSpam

#2 Windows DNS Response to AntiSpam (only CNAME, TC bit 0) => DKIM failure for the AntiSpam

#3 Windows DNS Response to AntiSpam (only CNAME, TC bit 1)

#3 AntiSpam re-query to Windows DNS via TCP

#3 Windows DNS Response to AntiSpam (CNAME+TXT)

So the only valid DNS response is always the last one (Truncated with TC bit 1).

Note, that this issue does not occur when DNS entries (CNAME + TXT) are already in Windows DNS server cache.

Is there any protective mechanism that could cause such a behaviour ?

Note: ResponseRateLimiting mode is set to disable

Thanks for your help

Windows Server
Windows Server
Famille de systèmes d’exploitation de serveur Microsoft qui prennent en charge la gestion, le stockage des données, les applications et les communications au niveau de l’entreprise.
68 questions
0 commentaires Aucun commentaire
{count} votes

Votre réponse

Les réponses peuvent être marquées comme Réponses acceptées par l’auteur de la question, ce qui permet aux utilisateurs de connaître la réponse qui a résolu le problème de l’auteur.