DANE TLSA record | DNSSEC record Issues

I am having some DNS issues with MAIB.

The DANE TLSA record for incoming mail (_25._tcp.box.aupt-industries.com) is not correct. It is ‘3 1 1 xxxxxxxxddb8849b3c9857737a206de630fba7c6cbafcf556b5250e37ea7a6d’ but it should be ‘3 1 1 f7xxxxxxx1f21fe93f8c9069d83d88bd780c7215a6c8289003f17ce82f586c’. It may take several hours for public DNS to update after a change.

  1. I have tried running: tools/dns_update --force - this did not work
  2. I have migrated to a new box on DO and still have this problem
  3. I have put in the DNSSEC record for aupt-industries.com - then all dns fail and can only access the server via ip. I have verified I am placing the correct DNSSEC record with the domain.

Where is the DANE TLSA record being hosted on the box. Seems that something is awry with the domain name within the dns universe.

Would appreciate any thoughts on this.


Can someone help me understand where the Dane TLSA is set in the file system?

Further looking into this issue more I get the following error in testing
Service hostname must have matching TLSA record
Resolving TLSA records for hostname ‘_25._tcp.box.aupt-industries.com’

this issue persists when I set up a new box on DO.

To further add - when I go to the replace the certificate I get the “something went wrong, sorry.”

I have gone through

and still no where.


  • Does your registrar support DNSSEC?

  • Did you sent the relevant record to your registrar?

  • Is the DNSSEC record set correctly at your registrar? Test at https://dnssec-debugger.verisignlabs.com

  • Do you use another firewall than MiaBs own firewall that sit in between?

I am not sure about the location, maybe /etc/nsd/zones/box.aupt-industries.com.txt
Take a look at the file content there - maybe there is an old TLSA record there and for some reason it does not update.

Maybe save a backup, delete the zone file and then run the dns_update again (tools/dns_update --force).

Thank you so much for the reply.

My domain box.aupt-industries.com has the dnssec record set correctly at gandi.

I get two errors with my dnssec

  1. None of the 2 DNSKEY records could be validated by any of the 1 DS records
  2. The DNSKEY RRset was not signed by any keys in the chain-of-trust

I assume that this has something to do with an incorrect cert set on the box.

However if I go to /etc/nsd/zones there is no entry for box.aupt-industries.com only entries for aupt-industries.com - maybe this is the root of the error?

The mail system works and tls seems to be working marginally on the box. I am running latest version of everything and have used the “mailinabox” rebuild servera times.

I have grep around the box and I find no text set to the first key mentioned below ( ‘3 1 1 de1e2ffe6ddb8849b3c9857737a206de6xxxxx50e37ea7a6d’ ) but only find the correct one (3 1 1 f73b4d5d1f51f21fe93f8c9069d83d88bd78xxxxx6c8289003f17ce82f586c). Could it be possible that DO has some instance related to a decommissioned box floating around? Or could this be set off of the box?
I have migrated this to a fresh box and have some serious dns issues - which make me revert to the current broken box - which most works.

I must be missing something - I have had no problems since 2015 until a couple of weeks ago.

The DANE TLSA record for incoming mail (_25._tcp.box.aupt-industries.com) is not correct. It is ‘3 1 1 de1e2ffe6ddb8849b3c9857737a206de6xxxxx50e37ea7a6d’ but it should be ‘3 1 1 f73b4d5d1f51f21fe93f8c9069d83d88bd78xxxxx6c8289003f17ce82f586c’. It may take several hours for public DNS to update after a change.

I finally fixed the error. I think the root of the problem was related to a couple of factors.

  1. I used to use certs from Gandi and one of them was not revoked on the gandi side
  2. I originally set the box as ip4 and migrated to a new box with ipv6 enabled.
  3. There were a lot .pem files with the same name but different dates in /ssl/ directory
  4. There was a lot of old custom dns from old urls that needed to be removed.


1 Like