Setting Up An Running Your Own Dmarc using Bind DNS

daniel jay foran jay.foran at mail.netassoc.net
Mon Jun 27 18:16:26 UTC 2022 

 I cant be the only one that has racked his brains and written 
hundreds of lines of code trying to get ISC BIND 9 to authenticate 
Dmarc records correctly.
A specific guide with code examples would be wonderful if anything 
like that exist. I have spf and dkim working correctly but cant seem 
to nail down dmark , I'm thinking it must be a syntax issue I'm up up 
against.
Below is one of my records that is as far as I can tell running 
cleanly and loading the zone with no errors.


; File: db.netassoc.net.txt
; Purpose: This file establishes the name-address information
; for this zone.  You will have to fill out the actual
; information for your specific zone in the format shown
; in the comments.2000072500125
;
; Comments are marked with a semicolon, unlike the named.conf file
;
$TTL 900 ;                TTL 15 min
netassoc.net.             IN SOA proliant.netassoc.net. 
hostmaster.netassoc.net. (
                          2022061614 ; serial number (yyyymmddxx) 
change this with every change
                          1800       ; refresh every 30 minutes
                          3600       ; retry after 1 hours
                          1209600    ; expire after 1 hour 20 min
                          600 )      ; Negative Time to live: 15 min
;
               IN NS proliant.netassoc.net.
   IN NS ns2.netassoc.net.
;
mail.netassoc.net.        IN MX 10 mail.netassoc.net.
netassoc.net.             IN MX 5 mail.netassoc.net.
netassoc.net.             IN A 12.171.228.25
_dmarc.netassoc.net.      IN CNAME netassoc.net.
netassoc.net.             IN TXT 
"google-site-verification=2Y92xUbr2yUnTuhTQPyXHZw53JpnvWmdbQ9H04DIdvY"
www.netassoc.net.         IN A 12.171.228.25
mail.netassoc.net.        IN A 12.171.228.28
www.mail.netassoc.net.    IN A 12.171.228.28
localhost      IN A 127.0.0.1
proliant.netassoc.net.   IN A 12.171.228.20
ns2.netassoc.net.   IN A 12.171.228.21
@ IN TXT "v=spf1 ip4:12.171.228.28 a mx -all"
; DKIM public key record
default._domainkey.netassoc.net. IN TXT 
"v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPhIUVyn2UZZ0nvFho1B9JKZ01a2dO375rIM1H5WUrp+1IFfvWXKv+eqWDS7sCPxtUbuZV66w7/zQ8WQfutPLVUKAV1vYUEnWJESI1rUolnVvJ/kR5RS9g7jTzpN18eMcg0TGMjrY9qhfXfIE8oBG+wSv2IsipfshgQotZwi8ojwIDAQAB"
default._domainkey.mail.netassoc.net. IN TXT 
"v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPhIUVyn2UZZ0nvFho1B9JKZ01a2dO375rIM1H5WUrp+1IFfvWXKv+eqWDS7sCPxtUbuZV66w7/zQ8WQfutPLVUKAV1vYUEnWJESI1rUolnVvJ/kR5RS9g7jTzpN18eMcg0TGMjrY9qhfXfIE8oBG+wSv2IsipfshgQotZwi8ojwIDAQAB"
@ IN TXT v=DMARC1; p=reject; 
rua=mailto:dmarc_report at mail.netassoc.net; 
ruf=mailto:demarc_forensic at mail.netassoc.net; fo=1;
;



Daniel Jay Foran
Network Administrator
Network Associates &
Telepage Communication Systems of
Twinn Comm Inc. & Infinity Technology Group
Store 304-485-6823
CELL 304-916-6520



On Monday 06/27/2022 at 8:05 am, bind-users-request at lists.isc.org 
wrote:
> Send bind-users mailing list submissions to
> bind-users at lists.isc.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users
> or, via email, send a message with subject or body 'help' to
> bind-users-request at lists.isc.org
>
> You can reach the person managing the list at
> bind-users-owner at lists.isc.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
>
>
> Today's Topics:
>
>      1. Re: 9.18 behavior change for mDNS queries with dig (Evan Hunt)
>      2. Re: 9.18 behavior change for mDNS queries with dig (Petr 
> ?pa?ek)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 27 Jun 2022 06:26:37 +0000
> From: Evan Hunt <each at isc.org>
> To: Larry Stone <lstone19 at stonejongleux.com>
> Cc: bind-users <bind-users at lists.isc.org>
> Subject: Re: 9.18 behavior change for mDNS queries with dig
> Message-ID: <YrlNnXrkgooK05nH at isc.org>
> Content-Type: text/plain; charset=utf-8
>
> On Sun, Jun 26, 2022 at 10:00:08PM -0500, Larry Stone wrote:
>>
>> I recently moved from 9.16 to 9.18 and just noticed that dig no longer
>> resolves mDNS queries.
>>
>> With 9.16:
>> dig +short @224.0.0.251 -p 5353 hostname.local
>> 192.168.0.82
>>
>> With 9.18:
>> dig +short @224.0.0.251 -p 5353 hostname.local
>> ;; connection timed out; no servers could be reached
>>
>> I can?t find anything in the Release Notes (or anyplace else) about 
>> this.
>
> "dig" was rewritten in 9.18 to use the libuv-based network manager
> instead of the old socket code; it's probably related to that.  Please
> open a bug report at 
> https://gitlab.isc.org/isc-projects/bind9/-/issues,
> we'll look into it.
>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 27 Jun 2022 08:48:57 +0200
> From: Petr ?pa?ek <pspacek at isc.org>
> To: bind-users at lists.isc.org, Larry Stone <lstone19 at stonejongleux.com>
> Subject: Re: 9.18 behavior change for mDNS queries with dig
> Message-ID: <ebad4d19-23dd-5a2e-b2da-7d0fa6a753f7 at isc.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 27. 06. 22 8:26, Evan Hunt wrote:
>>
>> On Sun, Jun 26, 2022 at 10:00:08PM -0500, Larry Stone wrote:
>>>
>>> I recently moved from 9.16 to 9.18 and just noticed that dig no longer
>>> resolves mDNS queries.
>>>
>>> With 9.16:
>>> dig +short @224.0.0.251 -p 5353 hostname.local
>>> 192.168.0.82
>>>
>>> With 9.18:
>>> dig +short @224.0.0.251 -p 5353 hostname.local
>>> ;; connection timed out; no servers could be reached
>>>
>>> I can?t find anything in the Release Notes (or anyplace else) about 
>>> this.
>>
>> "dig" was rewritten in 9.18 to use the libuv-based network manager
>> instead of the old socket code; it's probably related to that.  Please
>> open a bug report at 
>> https://gitlab.isc.org/isc-projects/bind9/-/issues,
>> we'll look into it.
>
> Please don't forget to attach PCAP file produced by tcpdump or similar
> tool so we can see if anything happens on the wire or not.
>
> --
> Petr ?pa?ek
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ for more 
> information.
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> ------------------------------
>
> End of bind-users Digest, Vol 4011, Issue 2
> *******************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220627/4ad3a93f/attachment.htm>

More information about the bind-users mailing list