SOLVED: Amavis and dkim signature on incoming mails: header.s ignored

I am a little bit confused with how amavis process incoming mails. The Postfix service on my Zimbra server is configured to sign outgoing mails. And it works like a charm.

Problem is mails sent to internal users (and only them, no issue with external accounts, for example @gmail.com or @yahoo.com) are flagged as spam because DKIM signature cannot be verified. More specifically, it seems Amavis does not consider the header.s value in the DKIM signature.

Example to Gmail:

DKIM-Filter: OpenDKIM Filter v2.10.3 mail.ex-nihilo-paris.com 636C223C01CC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ex-nihilo-paris.com; s=8C71BBE2-C332-11E9-A36C-DE544AB689B7; t=1580832669; bh=+8TrrJmLcnxZUkZjdCmVbHB/ELJheHXsjUMg3GrWHqc=; h=Date:From:To:Message-ID:MIME-Version; b=h7/jOP1CAaWZnmmW6RKB6T8CHGUzJHUOSjUquv4jIFnb38SRlduYNXlp98ATeuYnV
     6Xtb09vzosri6rDyuB85hc4TJJMP93P2ZXtbALWXaR+x9G6ycua52kv4mKs0/GHfzb
     7wjycWfjpi0kHB/8uMMX4SQioH7utZiNB9sezwyGLloSyC/kxvvXZTeuJlGZ0VHmzk
     PRVT6p8aaNQ0rU4ZbmnQ2du5PPUjLEtVUhg7PYPbNbMVKChUwtPDH3vgMS3viMaSX8
     9/5/SLXNie2yZWhtpCFsgOfRkcX+IhjqQBUmu+LqA6sPRMp9FaI7+PrHgiZLspLtRS
     LRn6b35fwL96A==

and result :

Authentication-Results: mx.google.com;
       dkim=pass header.i=@ex-nihilo-paris.com header.s=8C71BBE2-C332-11E9-A36C-DE544AB689B7 header.b=HkbYPmX3;
       spf=pass (google.com: domain of maxime.marais@ex-nihilo-paris.com designates 51.255.78.216 as permitted sender) smtp.mailfrom=maxime.marais@ex-nihilo-paris.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ex-nihilo-paris.com

Example to own domain (ex-nihilo-paris.com)

DKIM-Filter: OpenDKIM Filter v2.10.3 mail.ex-nihilo-paris.com 60A8B23C01CC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ex-nihilo-paris.com;
    s=8C71BBE2-C332-11E9-A36C-DE544AB689B7; t=1580832824;
    bh=mRe5m4ERroqig5SN9KgSkkokS8uGjSACBaxYiIwgUbI=;
    h=Date:From:To:Message-ID:MIME-Version;
    b=c3/mSOn+gwlSHYBoiUkujtj2MaE6EOOJ1ZMPt8oQ8HidainYgRKK6VJ+O8n/HS0iV
     8HMAYsgQSpSEDdPJyAPqJsAM9WDrXdWjm2/4BjgQBFt7iRVX8q4e7vkPMkdbHwCnKg
     KRlmOJrLFpNMcpGcm8yvAyR9jLW4HWcAqGJc+3D7bOrTAKhtTw8Eufvk6JxX7eAuKq
     Im++CKj5f+hvBHea64nNQWgebfPWhGseFn/cqCtR+Qhroq7n9xUWByjMf0507pUeDE
     MMwRrVgpiDyeixmbiy5GQgsrDxsJyQtoLniCRLuIYiih6gmCuJTsx/7t8n8ZdSfAVv
     B+UDRgdYHpqbQ==

and result :

Authentication-Results: mail.ex-nihilo-paris.com (amavisd-new); dkim=neutral
    reason="invalid (public key: DNS error: no nameservers)"
    header.d=ex-nihilo-paris.com

It looks like the server may not be able to resolve the domain to fetch the DKIM key.

Obviously, the DKIM entry exists on our DNS (Google resolves it, for instance)

It's set as follow :

8C71BBE2-C332-11E9-A36C-DE544AB689B7._domainkey.ex-nihilo-paris.com.

v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwInGpqmCeO/FWpRsbF8gmSTTj62G98wtjzbWP5UGo6aL4d9184+Orauio8cdhuY0aBJXDzvifHCWm/0xlmxXHjjBZBWgvphiZZMLUONdXkwT+hsZjM2Lj3gtClN4bKiUG2FmT7j8O5A21BJU5m0eIymRYV6yEnmLag3YEeOGP6tr24kCbnUqDvtEmGczgZwFnJbYUfPKPLp6WTlImey/5JPiJj0mwVHBGa0dmCR5Q4mMTmS4Po6f0NlAuppWSWUrgRipEjRgXF3r850i+2U/yB1lPkSWrLIHoYW9jyr+ErtiCBIGmzjJ93eK4y7SBpd4npcjq0wYlmxe+GokCU0FEQIDAQAB

Any idea why Amavis could not resolve the host?

EDIT:

I checked bind activity on the local server by logging queries and I can see the txt record for 8C71BBE2-C332-11E9-A36C-DE544AB689B7._domainkey.ex-nihilo-paris.com being actually requested.

Also, $ host -t txt 8C71BBE2-C332-11E9-A36C-DE544AB689B7._domainkey.ex-nihilo-paris.com returns the expected result.

Thus, "DNS error: no nameservers" may be a wrong error message.