process-mail.py failed to resolve dns. Raised NXDOMAIN

Interesting bug: basically the mail is claiming to be signed by a
domain that does not exist, or at least transiently couldn't be found.

We already catch some of these errors but apparently not this one.

We ought to just catch the error, log it, and treat it as untrusted.

  tags easy

Martin

... despite this being kind of an input error, this really is critical
because this mail will have been falsely rejected.

I'll try to fix it but anyone else is welcome to steal it.

  assigned mbp

I don't understand how that exception is not being caught, because that file has

    try:
        # NB: if this fails with a keyword argument error, you need the
        # python-dkim 0.3-3.2 that adds it
        dkim_result = dkim.verify(
            signed_message.parsed_string, dkim_log, details=signing_details)
    except dkim.DKIMException, e:
        log.warning('DKIM error: %r' % (e,))
        dkim_result = False
    except dns.exception.DNSException, e:
        # many of them have lame messages, thus %r
        log.warning('DNS exception: %r' % (e,))
        dkim_result = False
    else:
        log.info('DKIM verification result=%s' % (dkim_result,))

Perhaps the version of python-dnspython live on Launchpad has an NXDOMAIN that is not a subclass of DNSException? But it is a subclass on both oneiric and my lucid lp chroot.

hloeung confirmed this machine is running

  1.7.1-1ubuntu0.1 0
        500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages

lucid has essentially the same code so I'm puzzled how this can happen. Perhaps some kind of object aliasing causing there to be two NXDOMAIN classes.

I suggest reproducing - throw a test message with a domain of e.g. doesnotexist.example.com

good idea.

I tried locally running the attached mail message through process-one-mail; it emits

2011-10-25 05:05:44 WARNING DNS exception: NXDOMAIN()

but not an oops. Could it be that the oops is just a side effect of the warning being logged? It doesn't look a lot like it.

I can't reproduce an uncaught exception causing an oops, even when I do feed it data causing an NXDOMAIN within dkim verification.

lp:~mbp/launchpad/878140-dkim-nxdomain will at least turn down the message to just 'info'.

In future, when testing locally, be sure your rabbit setup is fine,
and then you can use the oops-tools amqp2disk script to detect oopses
being logged easily. (LP needs changes not in trunk yet, so this
really is 'in future' :P).

Fixed in stable r14191 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/14191>.

qa-untestable: I ran it here and observed the info message, and I don't think it's likely it will be different on qas, which doesn't have super realistic email anyhow.