The DANE TLSA record for incoming mail (_25._tcp.box.aupt-industries.com) is not correct. It is ‘3 1 1 xxxxxxxxddb8849b3c9857737a206de630fba7c6cbafcf556b5250e37ea7a6d’ but it should be ‘3 1 1 f7xxxxxxx1f21fe93f8c9069d83d88bd780c7215a6c8289003f17ce82f586c’. It may take several hours for public DNS to update after a change.
I have tried running: tools/dns_update --force - this did not work
I have migrated to a new box on DO and still have this problem
I have put in the DNSSEC record for aupt-industries.com - then all dns fail and can only access the server via ip. I have verified I am placing the correct DNSSEC record with the domain.
Where is the DANE TLSA record being hosted on the box. Seems that something is awry with the domain name within the dns universe.
Further looking into this issue more I get the following error in testing
Service hostname must have matching TLSA record
Resolving TLSA records for hostname ‘_25._tcp.box.aupt-industries.com’
I am not sure about the location, maybe /etc/nsd/zones/box.aupt-industries.com.txt
Take a look at the file content there - maybe there is an old TLSA record there and for some reason it does not update.
Maybe save a backup, delete the zone file and then run the dns_update again (tools/dns_update --force).
The mail system works and tls seems to be working marginally on the box. I am running latest version of everything and have used the “mailinabox” rebuild servera times.
I have grep around the box and I find no text set to the first key mentioned below ( ‘3 1 1 de1e2ffe6ddb8849b3c9857737a206de6xxxxx50e37ea7a6d’ ) but only find the correct one (3 1 1 f73b4d5d1f51f21fe93f8c9069d83d88bd78xxxxx6c8289003f17ce82f586c). Could it be possible that DO has some instance related to a decommissioned box floating around? Or could this be set off of the box?
I have migrated this to a fresh box and have some serious dns issues - which make me revert to the current broken box - which most works.
I must be missing something - I have had no problems since 2015 until a couple of weeks ago.
The DANE TLSA record for incoming mail (_25._tcp.box.aupt-industries.com) is not correct. It is ‘3 1 1 de1e2ffe6ddb8849b3c9857737a206de6xxxxx50e37ea7a6d’ but it should be ‘3 1 1 f73b4d5d1f51f21fe93f8c9069d83d88bd78xxxxx6c8289003f17ce82f586c’. It may take several hours for public DNS to update after a change.