Adding DS records makes MIAB inaccessible

1

The system status check page lists say this if I click the Show details under the warning:

This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. See below for instructions.

Follow the instructions provided by your domain name registrar to set a DS record. Registrars support different sorts of DS records. Use the first option that work

I use Dynadot as my registrar (but I’m using Fastmail nameservers as it’s they have an easier control panel).

In Dynadot adding DNSSEC only asks for these options:
Key Tag, Digest Type, Digest, Algorithm.
There’s no place to add a public key.

I added the above from Option 1, and the site immediately went down / was inaccessible. Restarting MIAB or rebooting the server didn’t help. Then I removed the DNSSEC records and MIAB was accessible.

Where did I go wrong? Do I need to keep trying the other options until one of them works?

Or do I need to do something else before adding the DNSSEC records?

2

Usually that is indeed the only thing needed. However, all involved servers need to implement dnssec, so perhaps fastmail has issues with dnssec. I don’t know them so I can’t tell.
To analyse dnssec issues try https://dnsviz.net/ or https://dnssec-debugger.verisignlabs.com/ these might help you debug the issue.

1 Like
3

Thank you.

Yup Fastmail doesn’t support DNSSEC as per their help pages.

So I registered the ns1.box.domain.com and ns2.box.domain.com name servers, and configured at Dynadot to use these.

Finally only one tiny SSH password based login error and one warning about version check disabled.

Yaaay, it’s working!

Thank you, man

4

Just to follow up on this thread … @casper @KiekerJan

If DNS is being hosted elsewhere, then you would NOT add MiaB’s DNSSEC records to your registrar. Doing so was what went wrong.

In doing so you created a single point of failure for your MiaB. I highly recommend that you add a Secondary DNS provider to mitigate this risk.

2 Likes
5

@alento Thank you for the easy guide. I added a secondary NS (Puck).

The MIAB status check shows puck resolves well but gives a warning saying DNSSEC is not configured. It was fine before I added the secondary DNS.

Do I need to do any changes at Dynadot to the DNSSEC records I added there?

6

I do not think that it should be an issue, and am not sure why you have one. Personally, I never use DNSSEC because it causes more issues that it solves.

In your case, I would disable it at the registrar and leave it disabled for at least 24 hours. Then enable it again.

7

Edited: I should read better. :sleepy:

1 Like
8

At the time the OP was not hosting his DNS with MiaB but rather was hosting it externally … at least that is how the comments read to me.

1 Like
9

@alento Sorry my bad.

I overlooked in Dynadot control panel that it said the same thing which the MIAB status page says: “DS Records not set.”

I guess the DS records got removed when I had to delete ns2.box.domain.com and add puck’s NS in its place.

Have re-added the records and now the status page is fine.

1 Like
10

Hmm … Fastmail says the same thing on their help pages, that’s why they don’t support DNSSEC/DANE.

So do you advise that I remove it too?

11

It is entirely personal preference. Honestly, MiaB does it extremely well, so you should have no issues with it. The key is to remember to always disable it before changing your DNS provider.

1 Like
12

Got it. Thank you and especially @JoshData , and the community here for the help … such a crisp and almost OOTB working mail server up in just a few minutes.