Broken Trust DNS Error

Hi guys.

I need some help with one of my domains. I have 3 domains currently setup on my MIAB server, and they all work fine.
However, a 4th domain which I recently moved to another register from GoDaddy stopped working.

I’ve tried everything that I could, and the issue is just like this one.

The DNS server for all the domains is the actual Mail-in-a-Box server.


What I’ve tried so far:

  • /etc/init.d/bind9 status returns broken trust chain resolving domain.tld
  • Removed the domain.tld.txt.signed, ran ~/mailinabox/tools/dns_update && systemctl restart bind9 and rebooted the server.
  • Modified the DNS provider to point to a different DNS (the provider itself) and then put it back to the MIAB DNS server
  • DNSSEC is not enabled on my DNS provider, however, running the command dig +sigchase +trusted-key=./root.keys domain.tld. A | cat -n for the domain that is having issues, returns nothing. The same command with a working domain returns data.

I think this happened because I setup the domain and then a couple of weeks later I moved it to a new domain register so that it could stay in the same as the other ones.

Now, I already have emails and mailboxes created under the domain with issue, so I’m afraid of deleting the domain from the MIAB server and losing everything.

Any suggestions will be much appreciated, please.
Thanks!
Lucas

What happens if you run dig ds example.com?

It returns:

;; ANSWER SECTION:
example.com.		21600	IN	DS	2371 13 2 CE808314EA5C687702A3A157F5C0001EE0CCDC6C5555D9B584ABE70B FE4946F2

If your current registrar does not indicate that DNSSEC is enabled with that record, you need to contact their support and tell them to remove it. Usually the key still works when this happens.

Hmm will do.

If I want to activate it, which key do I need to give them? Thanks!

Usually you manage DNSSEC from the registrar dashboard. However, when domains are transferred to another registrar the old DS records can be sort of stuck in the registry but not show up in the registrar dashboard.

You should be able to enable DNSSEC in the same way you have your other domains enabled, and the MiaB dashboard should be recommending using the 13 2 record (which happens to be what is in the registry, but that might be expired because keys are automatically renewed, we just don’t usually see it).

1 Like

Thanks for that!

Yeah, I also knew this was from the registrar themselves. However, talking to the registrar, they don’t support this kind of feature on their dashboard, instead, I need to manually request it from them by email.

By doing so, they require me to send them the key. I guess the issue here is the support people not knowing what they need to do lol.

Also, I discovered the DNSSEC is disabled for the other domains I have. I’ll enable them all.

Thanks for your help!

I can confirm that after the registrar removing the DNSSEC record, it’s working fine now.

Thanks!

1 Like