Huge fan of this solution, thanks everyone who contributed to it!
We are trying to get dnssec set up with our domain host godaddy. When I try to enter the records, I get an error. I called them and they said “DNSSEC needs to be active on the DNS server for us to add a DS Record”. But then when I look at the MIAB instructions, it says “The DS Record Activates DNSSEC”.
So it seems like a chicken and egg problem =(
Any advice here? Thanks in advance!
Let me echo this question. I have a similar experience with Dynu.com . More specifically, they told me that I need to use their name servers in order to activate DNSSEC. So it looks like either I use their external DNS with DNSSEC, or I use name servers on my box without it. I’m not trying to hijack the thread, just stressing that there is more of us interested in the answer to the OP’s question 
It looks like godaddy supports this. Question for @etok do you use Godaddy’s DNS servers, or do you use MIAB to host your DNS (the default)?
I can’t find it for dynu, although this page talks about dnssec. It says Users hosting their domain names with us or using our dynamic DNS service have the option to enable DNSSEC, so it might be the case you need to host DNS with them, but I’m not sure. Never heard of dynu before today 
DS records are set with your domain registrar, not with your DNS provider. A quick glance at dynu.com shows that they are a DNS provider.
I don’t have any specific answers for this thread, but I wanted to chime in and say that for a general use case setting up DNSSEC probably isn’t worth the effort. It’s something I’m considering removing from Mail-in-a-Box in the future because it just doesn’t seem to have a meaningful security benefit, for general users, and comes with a lot of frustration. The industry is also moving to CA/TLS-based practices like MTA-STS.
Yes, this is precisely how I understand their policy. If I understand correctly, using their name service equals to hosting DNS with them.
Can you help me understand: I can purchase and register a web domain with them (this is what I did, see also Register A Domain Name | Domain Registration ). Doesn’t it make them a registrar?
When you visit their webpage, you are greeted with a page that says something completely different.
So yes, digging into their site, they do offer domain registrations. However the responses you have indicated are coming from their support indicate that they are talking about their dynamic DNS service, not their standard DNS service that one needs. To make things even more complicated, they refer to this as dynamic DNS service as well.
It took me all of 5 seconds to find information regarding DNSSEC.
Apparently, you need to be a paid “member” to have DNSSEC service, and you need to request that support sets it up for you.
Haha, I spent the same 5 seconds and understood that much before I posted my question Moreover, I also contacted their support and have been a paid member of Dynu for many months - all before posting.
Probably the question in my post was phrased clearly enough for which I apologize (I’m not a native English speaker). Let me rephrase it: is this normal also with other registrars that I have to use their name servers (instead of my own, on my MAIB installation) in order to get DNSSEC activated - all assuming I meet other requirements specific to a given registrar?
No, it is not. A domain registrar is supposed to enter your DS key provided by your DNS provider, whoever that may be.
If your domain registrar is telling you that you must use x DNS service, personally, I’d be moving to a different registrar.
All clear. Thank you very much for your help and patience.
Amazing help everyone, thank you!
@joshdata
sorry, I don’t want to hijack this thread but would like to give my feedback on your thoughts about removing DNSSEC from MIAB. I mostly understand the pros & cons of DNSSEC in general now (after I have fallen into the hole myself) and why it is difficult to set up and maintain properly.
However, please note that DNSSEC is kind of mandated in the german federal government and its institutions as well as highly regulated industries like banking or the healthcare sector. I understand that this is not exactly the target group you refer to as “general users”. But having DNSSEC available on MIAB might help if you are communicating with those institutions. For example tax attorneys or laywers talking to those institutions might have it easier if they have DNSSEC properly configured. And those little businesses probably belong to your “general users” category.
May I suggest instead of removing DNSSEC altogehter, maybe move it a bit out of the way. Having those DS records messages in the status report as warnings, may trigger people to set up DNSSEC without really understanding what they are doing and without understanding the implications (I am totally talking about me). I understand there is the note about this all being optional, but still it is a “warning” which scares people.
So maybe move the DNSSEC related information to the “Custom DNS” section and only leave a “green” message in the status report that the optional DNSSEC is not yet configured with a link to the DNS section. That way users would still have the option to use the MIAB implementation but don’t feel kind of pressed to do it from the start. Giving the users the sense that it is fine and this is something they don’t have to do to be compliant to somehting.
My point is that DNSSEC might be troublesome and has flaws, but I do not believe the industry is done with it yet (there are numbers of over 50% adoption rate in germany alone DNSSEC Validation Capability Metrics) and might be somewhat relevant for a while longer, while MIAB has a nice working solution already built in which would be a pity to throw away too early.
thanks again for this wonderful piece of software
regards
Lars
P.S: did I say 50% validation rate? It seems to be more like over 70% now…
Why do you think that might be so?
That’s a great proposal. At least it will discourage users from setting it up unless they know they want it.
With my first miab instance, I was not using the included DNS but was trying with the DNS of my domain registrar (I know I know…) I also enabled DNSSEC because it was convenient with the provided information from the status report. I read somewhere that for testing it would be smart to reduce the TTL which I ignored (I know I know…). I was running into issues with some of my donains while others worked fine and the DNSSEC validators were only happy with some of my domains. Also it was more complicated as not all my domains are with the same registrar. Some made changes in DNS public right away while the other was taking its time. So I got confused and I lost overview which resulted in me disabling all of DNSSEC for all domains.
The problem was that the mail provider I was using to test all my email sending and receiving with, suddenly refused to deliver any mails to the domains where DNSSEC was enabled at first. Their given reason was that the security of the chain was downgraded which might indicate a MITM attack. In order for them to forget the old DNSSEC information I would have to place custom TXT records in my DNS to prove I was the legitimate owner of those domains.
This got me to think that it might be possible that having DNSSEC enabled in the future might help to improve your legitimacy since the large mail providers seem to discard mails these days based on some intransparent reputational system only they control.
I admit that this might be a bit far fetched since I cannot find any evidence or documentation that having no DNSSEC would reduce your reputation with those email providers.
maybe if one is using external DNS Godaddy have the glue record be green since it’s not needed and have it read the external DNSSEC key
They are green, but a different green …and they are saying: “If you are using External DNS, this may be OK.”
I am not sure how easy it would be to implement a check to see if DNSSEC is enabled for externally hosted DNS zones, and I am not sure if this would be desirable because if you host your DNS elsewhere, Mail-in-a-Box is no longer responsible for your DNS settings, so I think @lvdd’s suggestion would be a good compromise that should be fairly easy to implement.
And maybe there should be a similar note as with the warning for the glue records, that for externally hosted DNS the messages can be ignored, and DNSSEC must be set up externally as well if you wish to use it.
