This does look like it’s absolutely a DNSSec issue. The RRSIG key expired.
Thankfully, the command-line fix was easy.
Just run “tools/dns_update”
and that should refresh the key and get you back in business.
Good on Google for enforcing DNSsec expired keys; that’s why it wasn’t resolving.
Now, the question is WHY the periodic refresh isn’t happening, but that’s a problem for another day …
Yep, same thing. RRSIG keys have expired.
For newbies like me, could you explain that a little more…
Thanks
Sure thing - just SSH into your system as the root user… then all you need to do is run the following commands:
/root/mailinabox/tools/dns_update
exit
and that should do it! dns_update is a script that’s part of mailinabox. It should run periodically but I don’t know why it didn’t/hasn’t… and I haven’t taken the time to figure out why yet.
Executed script and rebooted. Still getting same ctrl-panel status warnings. And RRSIG keys are still being reported as expired.
RRSIG XXXXmail.net/A alg 7, id 46943: The Signature Expiration field of the RRSIG RR (2016-10-09 00:00:00+00:00) is 9 days in the past.
net to XXXXmail.net: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (XXX.XX.XXX.179, UDP_0_EDNS0_32768_4096)
I deleted the DNSSEC entry from my registrar, now the MiaB Ctrl-panel is all green check marks again…
Then I ran the dns_update script again… This time I got a response “updated DNS: OpenDKIM configuration” prior I just got a line feed.
Should I risk implementing DNSSEC again?