DANE / TLSA Bug

Good day,

I set up Mail-In-A-Box today, but I have a problem with DANE.

The panel shows me under Status Checks that the TLSA record is correct, but when I test it online, e.g. via Internet.nl, I see that the record is incorrect I use my own name server called ns1.box.domain.com

Sometimes Dane is only valid for IPv6 but invalid for IPv4

Best regards
Nico

Now e.g. DANE is valid for IPv4 but still invalid for IPv6 and that changes again and again

From the screenshots I derive that you did the website test of internet.nl (About the website test). I notice that if I test domain.com it does not find the DANE TLSA record, but if i use box.domain.com that the record is found correctly. Also, in my experience, the email test of the internet.nl website (About the email test) always found the TLSA record for me. I think that DANE is important for email delivery, so I attach more weight to the email test than to the website test.
Is your DNSSEC setup correctly?

Good day,

Yes DNSSEC is configured correctly

Best regards
Nico

Looking into this a bit more, it looks like Mailinabox publishes a TLSA record on _443._tcp.box.example.com. I think that the internet.nl website test looks at _443._tcp.example.com where it will not find it.
Perhaps mailinabox should also publish a TLSA record at _443._tcp.example.com? And on all other subdomains it serves https on, like www.example.com?

Good day,

You do not understand it.

the point is that the entry is invalid I see the entry on Internet.nl but it is invalid

Best regards
Nico

Good day,

Have reinstalled the entire server several times and now it seems to be working just need to check if it stays that way

Best regards
Nico

I appear to have a similar issue, ie DANE TLSA record shows as incorrect to MIAB’s internal tests…

Short of reinstalling several times, can anyone else chime in if there is some faster way of resolving this (ie not reinstalling the server).

The error I am seeing is:

The DANE TLSA record for incoming mail (_25._tcp.mail.flightscan.me) is not correct. It is ‘3 1 1 67226ab50c8e44f4f290aae6b58b06cd867f1a9fa2302ce8da7c26dbe6ee1480’ but it should be ‘3 1 1 cf740b0712dd6e2958a1100d496d376b5a2f8ff2f37f21be2c31bf03c163e569’. It may take several hours for public DNS to update after a change.

`