Windows Server
Famille de systèmes d’exploitation de serveur Microsoft qui prennent en charge la gestion, le stockage des données, les applications et les communications au niveau de l’entreprise.
68 questions
Windows DNS - TC bit wrongly set
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 76%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
jAmac
0
Points de réputation
Hi all,
We have specific cases where DKIM validation is failing on our AntiSpam.
Here's the use case troubleshooted by making network traces :
- Same email is sent via different IP addresses to multiple recipients, as a result, the same DNS query for DKIM is made for each recipient in a very short timeframe in a row (<1ms sometimes).
- Windows DNS server relays a single DNS request to public DNS, and gets a complete answer.
- In that context, if the DNS response size is greater than 512 bytes (UDP truncation triggered, most of the time because data returned is a CNAME + the related TXT), the generated DNS responses are as follows (e.g. with 3 recipients) :
#1 Windows DNS Response to AntiSpam (only CNAME, TC bit 0) => DKIM failure for the AntiSpam
#2 Windows DNS Response to AntiSpam (only CNAME, TC bit 0) => DKIM failure for the AntiSpam
#3 Windows DNS Response to AntiSpam (only CNAME, TC bit 1)
#3 AntiSpam re-query to Windows DNS via TCP
#3 Windows DNS Response to AntiSpam (CNAME+TXT)
So the only valid DNS response is always the last one (Truncated with TC bit 1).
Note, that this issue does not occur when DNS entries (CNAME + TXT) are already in Windows DNS server cache.
Is there any protective mechanism that could cause such a behaviour ?
Note: ResponseRateLimiting mode is set to disable
Thanks for your help
Connectez-vous pour répondre