DKIM Signature Inactive after updating Easy Apache 4 components

[jdpuglisi]

Everytime my Easy Apache 4 updates (manually or automatically), the DKIM signature goes inactive until I go into the default user cPanel and click on Email Deliverability. The link loads and I get a dialog box stating the DKIM signature was inactive and the system has reactivated it. Wasn't a big deal when I was manually updating EA4 but I've got it set to do point upgrades to php, WHM and cPanel so there no tickle to check the to see if the DKIM signature is active. Would be nice if there was a command line that hits the same script that runs the Email Deliverability link in cPanel so it could be configured automatically.

Set up:
Centos 7.7 WHM/cPanel 86.0.18 DNS server is at Cloudflare. Domain registrar is register.com. Host is inmotionhosting.com (vps).

 

[cPanelLauren]

That's not normal behavior, in fact that's not something I've heard of before. Is anything noted in the cPanel error logs when this happens? You can find them at /usr/local/cpanel/logs/error_log

 

[jdpuglisi]

Hi! Looking through the logs, when my php version upgraded from 7.4.2 to 7.4.5 last night, there was a timeout doing the DNS query for the DKIM entry at Cloudflare. the warning was [refresh-dkim-validity-cache] running /usr/local/cpanel/Cpanel/DNS.Unbound.pm line 442. Looks like that was where the DKIM signature went invalid. This past morning when I went into cPanel and hit Email Deliverability, there was a log entry "Unable to read /etc/exim.conf.localopts". The page loaded normally and when I clicked "manage" all entries were properly configured.

About half the time I go into Email Deliverability, the PTR query times out. I'm not sure how quick the script times out but it happens quite a bit.

I'm not a pro at reading these logs but the timestamps do correspond to the individual events pretty well. If I had to guess, when your DNS zone isn't hosted locally, queries fired in the upgrade process may timeout.

 

[cPanelLauren]

That still really shouldn't be the case as far as I know. I believe this warrants some further/more in-depth investigation.

Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[jdpuglisi]

Shouldn't I work through my hosting provider?

 

[cPanelLauren]

Generally speaking the recommended action if you purchased your license through a reseller is to go through your hosting provider first. Because I don't have a way to know this and as such can tell you only to open a support ticket. But yes you should go through them first.

 

[jdpuglisi]

OK. Thanks. I did look through the cPanel error logs and what looked the the error thrown during my point upgrade from 7.4.2 to 7.4.5 as follows:

[2020-04-23 22:06:09 -0400] warn [refresh-dkim-validity-cache] DNS query failure (default._domainkey.MYDOMAIN.com/TXT): Timeout! at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 442.
Cpanel::DNS::Unbound::_warn_query_failure(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, __CPANEL_HIDDEN__) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 841
Cpanel::DNS::Unbound::_recursive_queries_with_warn(Cpanel::DNS::Unbound=HASH(0x23bd9f8), ARRAY(0x28f4350)) called at /usr/local/cpanel/Cpanel/DNS/Unbound.pm line 332
Cpanel::DNS::Unbound::get_records_by_domains(Cpanel::DNS::Unbound=HASH(0x23bd9f8), "TXT", "default._domainkey.MYDOMAIN.com") called at /usr/local/cpanel/Cpanel/DnsUtils/MailRecords.pm line 445
Cpanel::DnsUtils::MailRecords::_get_txt_records_by_domains("default._domainkey.MYDOMAIN.com") called at /usr/local/cpanel/Cpanel/DnsUtils/MailRecords.pm line 175
Cpanel::DnsUtils::MailRecords::validate_dkim_records_for_domains(ARRAY(0x22f9a98)) called at /usr/local/cpanel/scripts/refresh-dkim-validity-cache line 220
scripts::refresh_dkim_validity_cache::_domain_has_valid_dkim("MYDOMAIN.com") called at /usr/local/cpanel/scripts/refresh-dkim-validity-cache line 150
scripts::refresh_dkim_validity_cache::__ANON__() called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
eval {...} called at /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
Try::Tiny::try(CODE(0x21dc0d8), Try::Tiny::Catch=REF(0x20bad90)) called at /usr/local/cpanel/scripts/refresh-dkim-validity-cache line 172
scripts::refresh_dkim_validity_cache::run(scripts::refresh_dkim_validity_cache=HASH(0x208bee8)) called at /usr/local/cpanel/scripts/refresh-dkim-validity-cache line 70

 

[cPanelLauren]

This indicates that there was an issue with the DNS lookup performed for the DKIM but not necessarily why. I would still advise opening a ticket with your hosting provider and if they're unable to provide assistance one with us.

 

[jdpuglisi]

This indicates that there was an issue with the DNS lookup performed for the DKIM but not necessarily why. I would still advise opening a ticket with your hosting provider and if they're unable to provide assistance one with us.

Done. Defect appeared again last night during the update cron. I'll keep this updated.

 

[jdpuglisi]

Hi! Looking through the logs, when my php version upgraded from 7.4.2 to 7.4.5 last night, there was a timeout doing the DNS query for the DKIM entry at Cloudflare. the warning was [refresh-dkim-validity-cache] running /usr/local/cpanel/Cpanel/DNS.Unbound.pm line 442. Looks like that was where the DKIM signature went invalid. This past morning when I went into cPanel and hit Email Deliverability, there was a log entry "Unable to read /etc/exim.conf.localopts". The page loaded normally and when I clicked "manage" all entries were properly configured.

About half the time I go into Email Deliverability, the PTR query times out. I'm not sure how quick the script times out but it happens quite a bit.

I'm not a pro at reading these logs but the timestamps do correspond to the individual events pretty well. If I had to guess, when your DNS zone isn't hosted locally, queries fired in the upgrade process may timeout.

As an interim step and without hosting support, I decided to check on the permissions of /etc/exim.conf.localopts. For whatever reason, the permissions were 0600 so there was no way apache could read the file so I changed the permissions to 0644. Server isn't throwing that warning every night anymore so fingers crossed that will solve the DKIM signature going inactive after updates.

 

[jdpuglisi]

That didn't solve it. DKIM signature went inactive with the May 6 cPanel update.

 

[cPanelLauren]

If your provider does not provide support I would still strongly urge you to open a ticket with our support to have this looked at.

 

[jdpuglisi]

If your provider does not provide support I would still strongly urge you to open a ticket with our support to have this looked at.

Will do! I'll give it a couple of days.

 

[jdpuglisi]

No resolution from the host. Opened cPanel support ticket.

Your Support Ticket ID is: 93489694

 

[jdpuglisi]

Got some serious troubleshooting brain power going on the cPanel service desk. Looks like they've got the issue isolated.

IPv6 networking issues on my server

 

[jdpuglisi]

The technical support and customer service experience at cPanel was exceptional. I've enjoyed pretty solid support at my host (inmotionhosting) but it seems like they were a bit out of their depth on this issue. The problem was one of the more difficult to trace because it truly was transient in nature. Instead of the "well....everything seems to be working just fine" response I was getting from the provider, the cPanel crew dove in and isolated the issue to IPv6 networking issues on the DNS lookup.

 

[jdpuglisi]

I've disabled IPv6 on the server. The host apparently blocks port 53 which may have contributed to the problem but wasn't the most likely root of the problem. A future patch from cPanel will likely better address DNS lookups when IPv6 networking issues are present. Case CPANEL-30878. Link above.

 

[cPanelLauren]

Awesome! I just checked in on this as well and see what was done. Thanks for following up here and linking the support article! I'm really glad our analysts were able to help you.

 

[jdpuglisi]

I've disabled IPv6 on the server. The host apparently blocks port 53 which may have contributed to the problem but wasn't the most likely root of the problem. A future patch from cPanel will likely better address DNS lookups when IPv6 networking issues are present. Case CPANEL-30878. Link above.

Actually port 53 isn't blocked. The cPanel email deliverability page is much more responsive with IPv6 disabled.

 

[cPanelLauren]

Actually port 53 isn't blocked. The cPanel email deliverability page is much more responsive with IPv6 disabled.

Yea based on your response they thought it might have contributed but the end result of opening the case was due to the way the DNS lookup was occurring over IPv6