Skip DNAME RRs in DNS answers

[ajobs]

DKIM verification fails if the answer packet contains DNAME RRs.
Example:

;; ANSWER SECTION:
rub.de.                                  1103 IN DNAME ruhr-uni-bochum.de.
rub.de.                                  1103 IN RRSIG DNAME 13 2 3600 ... 
mail-2017._domainkey.rub.de.                0 IN CNAME mail-2017._domainkey.ruhr-uni-bochum.de.
mail-2017._domainkey.ruhr-uni-bochum.de. 3068 IN TXT "v=DKIM1; h=sha256; p=MIGfMA..."
mail-2017._domainkey.ruhr-uni-bochum.de. 3068 IN RRSIG TXT 13 4 3600 ...

This currently causes some trouble at the support team because they have to explain to our clients and the receiving side that there is no problem with the DMARC/DKIM/SPF setup but with the verification process.

[HendrikF]

We ran into the same problem. OpenDKIM cannot retrieve keys involving DNAME records.

A setup that fails verification looks as follows: (dig output)

s1._domainkey.a.example.com.  CNAME s1.domainkey.a.b.example.com.
_domainkey.a.example.com.     DNAME domainkey.a.b.example.com.
s1.domainkey.a.b.example.com. TXT   "v=DKIM1;[...]"

OpenDKIM just fails to retrieve the key with "reply was unexpected type 39" when it encounters a DNAME.

https://github.com/trusteddomainproject/OpenDKIM/blob/master/libopendkim/dkim-keys.c#L332

The whole logic around this function should be rewritten to ignore all unknown and irrelevant record types.
This way the logic should be more robust against new record types in the future.