DANE / TLSA Bug

Nico · May 7, 2023, 6:58pm

Good day,

I set up Mail-In-A-Box today, but I have a problem with DANE.

The panel shows me under Status Checks that the TLSA record is correct, but when I test it online, e.g. via Internet.nl, I see that the record is incorrect I use my own name server called ns1.box.domain.com

Sometimes Dane is only valid for IPv6 but invalid for IPv4

Best regards
Nico

Nico · May 7, 2023, 7:10pm

Now e.g. DANE is valid for IPv4 but still invalid for IPv6 and that changes again and again

KiekerJan · May 7, 2023, 8:37pm

From the screenshots I derive that you did the website test of internet.nl (About the website test). I notice that if I test domain.com it does not find the DANE TLSA record, but if i use box.domain.com that the record is found correctly. Also, in my experience, the email test of the internet.nl website (About the email test) always found the TLSA record for me. I think that DANE is important for email delivery, so I attach more weight to the email test than to the website test.
Is your DNSSEC setup correctly?

Nico · May 8, 2023, 7:45am

Good day,

Yes DNSSEC is configured correctly

Best regards
Nico

KiekerJan · May 8, 2023, 9:29am

Looking into this a bit more, it looks like Mailinabox publishes a TLSA record on _443._tcp.box.example.com. I think that the internet.nl website test looks at _443._tcp.example.com where it will not find it.
Perhaps mailinabox should also publish a TLSA record at _443._tcp.example.com? And on all other subdomains it serves https on, like www.example.com?

Nico · May 8, 2023, 10:10am

Good day,

You do not understand it.

the point is that the entry is invalid I see the entry on Internet.nl but it is invalid

Best regards
Nico

Nico · May 8, 2023, 12:03pm

Good day,

Have reinstalled the entire server several times and now it seems to be working just need to check if it stays that way

Best regards
Nico

hzink · May 17, 2023, 10:12pm

I appear to have a similar issue, ie DANE TLSA record shows as incorrect to MIAB’s internal tests…

hzink · May 17, 2023, 10:12pm

Short of reinstalling several times, can anyone else chime in if there is some faster way of resolving this (ie not reinstalling the server).

hzink · May 17, 2023, 10:14pm

The error I am seeing is:

The DANE TLSA record for incoming mail (_25._tcp.mail.flightscan.me) is not correct. It is ‘3 1 1 67226ab50c8e44f4f290aae6b58b06cd867f1a9fa2302ce8da7c26dbe6ee1480’ but it should be ‘3 1 1 cf740b0712dd6e2958a1100d496d376b5a2f8ff2f37f21be2c31bf03c163e569’. It may take several hours for public DNS to update after a change.

`