Configuring DNSSEC DS at GoDaddy

nick · April 25, 2016, 9:51pm

I have registered a couple of domains with Godaddy. example.com works fine when adding DS records, but for example.camera Godaddy does not allow me to choose the correct algorithm (only 8, 13 and 14 available) which the box states I should use, which is 7.

My mailinabox version is 0.17c

Please advise!

JoshData · April 25, 2016, 10:07pm

This line will need to be modified:

github.com

mail-in-a-box/mailinabox/blob/252c35c66e84a2f3ec970500ff7c4a5e8941d5ef/management/dns_update.py#L506


	# Write out new contents and return True to signal that
	# configuration changed.
	with open(nsd_conf_file, "w") as f:
		f.write(nsdconf)
	return True


########################################################################


def dnssec_choose_algo(domain, env):
	if '.' in domain and domain.rsplit('.')[-1] in \
		("email", "guide", "fund", "be"):
		# At GoDaddy, RSASHA256 is the only algorithm supported
		# for .email and .guide.
		# A variety of algorithms are supported for .fund. This
		# is preferred.
		# Gandi tells me that .be does not support RSASHA1-NSEC3-SHA1
		return "RSASHA256"


	# For any domain we were able to sign before, don't change the algorithm
	# on existing users. We'll probably want to migrate to SHA256 later.
	return "RSASHA1-NSEC3-SHA1"

nick · April 25, 2016, 10:12pm

So, if I add "camera" to the list the box will create a digest using the algorithm that is supported by Godaddy?
Am I right?

Thanks a lot!

nick · April 25, 2016, 10:15pm

… Or do I have to run the mailinabox script to make it work?

JoshData · April 25, 2016, 10:33pm

Running mailinabox is the fastest way to make sure it actually does it, yeah. (I think…)

nick · April 25, 2016, 10:34pm

It’s just that I’ve got a rather complicated setup with owncloud and its apps and the nginx configurations and I don’t want mailinabox to overwrite my changes. Is there a way to limit its capabilities, as such?

JoshData · April 25, 2016, 10:46pm

You are on your own then.

nick · April 26, 2016, 2:38pm

Ok, after some time, I got a new droplet running, everything’s clean and I’ve modified the file to include "camera". I ran mailinabox but when heading over to the status panel, the domain example.camera still shows algorithm 7! My other domains that I added, such as example.wtf work absolutely fine with DNSSEC, but not .camera. What am I doing wrong?

JoshData · April 26, 2016, 8:15pm

Try:

sudo tools/dns_update --force

nick · April 26, 2016, 8:38pm

Thank you soo much!!! It updated!

One error left now on my status page - the ssh keys error still says that my box permits password-based login, after I created ssh keys and did a PermitPasswordLogin no in ssh_config and restarted it.

v60fan · April 30, 2016, 6:11pm

You need to search through your entire sshd_config–sometimes settings are in twice and the second one will override. Also, the setting you need to change to no is:
PasswordAuthentication no

You might also consider setting PermitRootLogin to “no” or “without-password”

dnssyste · July 20, 2017, 11:57am

Hi…

I have the same problem with Godaddy, but for example.net.au domains.

Only able to select Algorithm 4 with Godaddy.

I did add the au to the file and it changed from 7 to 8,

Any idea about to makes this work ?

Cheers

nick · July 23, 2017, 9:38am

If you’re still having problems, in the end, I found it’s much easier to manage the DNS using Cloudflare, as it’s faster (the main reason) and less messy. Be aware, though, that the status page will show errors regarding the DNS (that’s ok, because Cloudflare will handle it). And you can enable DNSSEC through it, as well. There are some threads on here regarding the service.

hzink · September 22, 2018, 6:07pm

I am using the .group TLD – I have modified the line as stated.

I have the same issue - at GoDaddy when I select DNSSEC for this domain/TLD, the only Algorithms it offers are 8,13, and 14.

Mailinabox, though, offers 7 as the algorithm. Even after adding “group” to the above, and re-running mailinabox.

Do I have to make a change elsewhere?