Here is the setup where I encounter my issues :
My computer has the IP 10.6.2.5.
There is a DNS server ns.isp6.lab with the IP 10.6.2.4 (I can reach it).
My computer has Postfix + Dovecot + SpamAssassin installed. I receive emails signed with DKIM from the domain isp6.lab.
They're signed with this domain key : mail._domainkey.isp6.lab
When I do dig mail._domainkey.isp6.lab TXT I get an answer with the public RSA key.
The problem is that Spammassassin doesn't find it, here is a part the header of a received email :
X-Spam-HAM-Report:
* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
So I activated the debug logs in SpamAssassin and here is what I found :
cat spamd.log | grep dkim
Tue Oct 7 16:38:50 2014 [21673] dbg: dkim: performing public key lookup and signature verification
Tue Oct 7 16:39:00 2014 [21673] dbg: dkim: DKIM, i=@isp6.lab, d=isp6.lab, s=mail, a=rsa-sha256, c=relaxed/simple, invalid, matches author domain
Tue Oct 7 16:39:00 2014 [21673] dbg: dkim: signature verification result: INVALID (PUBLIC KEY: DNS QUERY TIMEOUT FOR MAIL._DOMAINKEY.ISP6.LAB)
I checked my /etc/resolv.conf:
domain isp6.lab
search isp6.lab
nameserver 10.6.2.4
I am now searching for hours on this issues (it doesn't seem well documented), I checked that I had all CPAN required modules, etc; I really have no idea what else I could do.
Thanks in advance for your help.
Edit : Maybe something can be done in the NET::DNS module? I don't really understand how all these modules are used, configured, and interact with each other.
Best Answer
Maybe you hit bug related with NET::DNS and spamassassin. It explained in this blog and this SA mailing list. The excerpt from the blog
Solution:
Check your repo, if they have fixed the issue in newer release. If not, you can apply the patch manually from here