Domain registrar: Namecheap
Domain host: Linode vps
Domain nameserver, zone file: Linode
Domain name: abberantic.com

Background: I have had domains at Linode for years to serve some web sites. I am another G-Suite refugee setting up my own email server using MIAB.

So, I’ve set custom nameservers in Namecheap to ns1.linode.com, etc. Linode has all the correct glue records in the zone file there.

With DNSSEC turned ON at Namecheap, I’ve entered the Key Tag, Algorithm, Digest Type, and Digest Values as specified in by MIAB.

However the MIAB status reports a multitude of nameserver glue errors when DNSSEC is turned on:

 abberantic.com
==============
✓  DNSSEC 'DS' record is set correctly at registrar. (Records using algorithm 
   other than ECDSAP256SHA256 and digest types other than SHA-256/384 should be
   removed.)
✖  The nameservers set on this domain are incorrect. They are currently [Not 
   Set]. Use your domain name registrar's control panel to set the nameservers 
   to ns1.mbox.abberantic.com; ns2.mbox.abberantic.com.
✖  This domain's DNS MX record is not set. It should be '10 
   mbox.abberantic.com'. Mail will not be delivered to this box. It may take 
   several hours for public DNS to update after a change. This problem may 
   result from other issues listed here.
✓  Postmaster contact address exists as a mail alias. 
   [postmaster@abberantic.com ↦ administrator@mbox.abberantic.com]
✓  Domain is not blacklisted by dbl.spamhaus.org.
✖  This domain should resolve to your box's IP address (A 50.116.9.34) if you 
   would like the box to serve webmail or a website on this domain. The domain 
   currently resolves to [Not Set] in public DNS. It may take several hours for
   public DNS to update after a change. This problem may result from other 
   issues listed here.

I also get tons of errors from dnsviz.net:

./DNSKEY: No response was received from the server over UDP (tried 4 times). (192.112.36.4, UDP_-EDNS0_512_D_KN)
abberantic.com/A: No RRSIG covering the RRset was returned in the response. (162.159.24.25, 162.159.24.39, 162.159.25.129, 162.159.26.99, 162.159.27.72, 2400:cb00:2049:1::a29f:1819, 2400:cb00:2049:1::a29f:1827, 2400:cb00:2049:1::a29f:1981, 2400:cb00:2049:1::a29f:1a63, 2400:cb00:2049:1::a29f:1b48, UDP-EDNS0_4096_D_KN)
abberantic.com/AAAA: No RRSIG covering the RRset was returned in the response. (162.159.24.25, 162.159.24.39, 162.159.25.129, 162.159.26.99, 162.159.27.72, 2400:cb00:2049:1::a29f:1819, 2400:cb00:2049:1::a29f:1827, 2400:cb00:2049:1::a29f:1981, 2400:cb00:2049:1::a29f:1a63, 2400:cb00:2049:1::a29f:1b48, UDP-EDNS0_4096_D_KN)
abberantic.com/MX: No RRSIG covering the RRset was returned in the response. (162.159.24.25, 162.159.24.39, 162.159.25.129, 162.159.26.99, 162.159.27.72, 2400:cb00:2049:1::a29f:1819, 2400:cb00:2049:1::a29f:1827, 2400:cb00:2049:1::a29f:1981, 2400:cb00:2049:1::a29f:1a63, 2400:cb00:2049:1::a29f:1b48, UDP-EDNS0_4096_D_KN, UDP-EDNS0_512_D_KN)
abberantic.com/NS: No RRSIG covering the RRset was returned in the response. (162.159.24.25, 162.159.24.39, 162.159.25.129, 162.159.26.99, 162.159.27.72, 2400:cb00:2049:1::a29f:1819, 2400:cb00:2049:1::a29f:1827, 2400:cb00:2049:1::a29f:1981, 2400:cb00:2049:1::a29f:1a63, 2400:cb00:2049:1::a29f:1b48, UDP-EDNS0_4096_D_KN)
abberantic.com/SOA: No RRSIG covering the RRset was returned in the response. (162.159.24.25, 162.159.24.39, 162.159.25.129, 162.159.26.99, 162.159.27.72, 2400:cb00:2049:1::a29f:1819, 2400:cb00:2049:1::a29f:1827, 2400:cb00:2049:1::a29f:1981, 2400:cb00:2049:1::a29f:1a63, 2400:cb00:2049:1::a29f:1b48, TCP-EDNS0_4096_D_N, UDP-EDNS0_4096_D_KN, UDP-EDNS0_4096_D_KN_0x20)
abberantic.com/TXT: No RRSIG covering the RRset was returned in the response. (162.159.24.25, 162.159.24.39, 162.159.25.129, 162.159.26.99, 162.159.27.72, 2400:cb00:2049:1::a29f:1819, 2400:cb00:2049:1::a29f:1827, 2400:cb00:2049:1::a29f:1981, 2400:cb00:2049:1::a29f:1a63, 2400:cb00:2049:1::a29f:1b48, UDP-EDNS0_4096_D_KN)
com to abberantic.com: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (162.159.24.25, 162.159.24.39, 162.159.25.129, 162.159.26.99, 162.159.27.72, 2400:cb00:2049:1::a29f:1819, 2400:cb00:2049:1::a29f:1827, 2400:cb00:2049:1::a29f:1981, 2400:cb00:2049:1::a29f:1a63, 2400:cb00:2049:1::a29f:1b48, UDP-EDNS0_4096_D_KN, UDP-EDNS0_512_D_KN)
com to abberantic.com: The DS RRset for the zone included algorithm 13 (ECDSAP256SHA256), but no DS RR matched a DNSKEY with algorithm 13 that signs the zone’s DNSKEY RRset. (162.159.24.25, 162.159.24.39, 162.159.25.129, 162.159.26.99, 162.159.27.72, 2400:cb00:2049:1::a29f:1819, 2400:cb00:2049:1::a29f:1827, 2400:cb00:2049:1::a29f:1981, 2400:cb00:2049:1::a29f:1a63, 2400:cb00:2049:1::a29f:1b48, UDP-EDNS0_4096_D_KN, UDP-EDNS0_512_D_KN)
com to abberantic.com: The DS RRset for the zone included algorithm 8 (RSASHA256), but no DS RR matched a DNSKEY with algorithm 8 that signs the zone’s DNSKEY RRset. (162.159.24.25, 162.159.24.39, 162.159.25.129, 162.159.26.99, 162.159.27.72, 2400:cb00:2049:1::a29f:1819, 2400:cb00:2049:1::a29f:1827, 2400:cb00:2049:1::a29f:1981, 2400:cb00:2049:1::a29f:1a63, 2400:cb00:2049:1::a29f:1b48, UDP-EDNS0_4096_D_KN, UDP-_EDNS0_512_D_KN)

If I turn off the DNSSEC at Namecheap, then the only complaint is that DNSSEC is not set.

abberantic.com

? The nameservers set on this domain at your domain name registrar should be
ns1.mbox.abberantic.com; ns2.mbox.abberantic.com. They are currently
ns1.linode.com; ns2.linode.com; ns3.linode.com; ns4.linode.com;
ns5.linode.com. If you are using External DNS, this may be OK.
✓ Domain’s email is directed to this domain. [abberantic.com ↦ 10
mbox.abberantic.com]
✓ MTA-STS policy is present.
✓ Postmaster contact address exists as a mail alias.
[postmaster@abberantic.com ↦ administrator@mbox.abberantic.com]
✓ Domain is not blacklisted by dbl.spamhaus.org.
✓ Domain resolves to this box’s IP address. [abberantic.com ↦ 50.116.9.34;
2600:3c01::f03c:93ff:fee0:31fd]
✓ TLS (SSL) certificate is signed & valid. The certificate expires in 84 days
on 2022-07-22.
? This domain’s DNSSEC DS record is not set. The DS record is optional. The DS

What am I doing wrong when I try to set up DNSSEC? I would really like to use it, but not if it breaks my email…

Thanks,
Evelyn

If you dont use DNS server on your MiaB server then MiaB complains.

Basically what you are doing is using Linode as your DNS.

So you would enter each record into linode one at at time (the records that are on your miab admin page under “System” → “External DNS”

In my set I get the following -
The DNSSEC ‘DS’ record for domain.com is incorrect. See further details below.

?
Nameserver glue records (ns1.mail.domain.com and ns2.mail.domain.com) should be configured at your domain name registrar as having the IP address of this box (IPADDR). They currently report addresses of [Not Set]/[Not Set]. If you have set up External DNS, this may be OK.

Now based on your info above:

This domain's DNS MX record is not set. It should be '10 
   mbox.abberantic.com'. Mail will not be delivered to this box. It may take 
   several hours for public DNS to update after a change. This problem may 
   result from other issues listed here.

So you do not have your MX record set properly for abberantic.com, maybe this is because you still have them set to Google Mail?

You can safely not worry about hosting a website on your MIAB server if that isn’t what you intend to do. Users would need to go to mbox.abberantic.com to check their mail but your website for www.abberantic.com is hosted elsewhere (not on the miab server)

Although when I’m trying publicly - it seems that www.abberantic.com goes to your miab server and I get roundcube because it redirects, so does https://www.abberantic.com

not sure if that is really what you intended.

MX Toolbox is a great place to ensure you got the right records down.
SPF Check → SPF Check & SPF Lookup - Sender Policy Framework (SPF) - MxToolBox
Blacklist Check → Email Blacklist Check - IP Blacklist Check - See if your server is blacklisted
DMARC Check → DMARC Check Tool - Domain Message Authentication Reporting & Conformance Lookup - MxToolBox

DKIM Check → DKIM Check- DomainKeys Identified Mail (DKIM) Record Lookup - MxToolBox

So are you planning on keeping your Linode DNS and use external DNS or use the boxes DNS.

If you have websites, etc and other servers you might not want to use the box’es DNS.

Make Sense?

So you do not have your MX record set properly for abberantic.com, maybe this is because you still have them set to Google Mail?

No - ALL the glue records are set correctly at Linode. Including the MX records.

If DNSSEC is turned OFF at the registrar, which is Namecheap, EVERYTHING is fine except DNSSEC (obv.).

If I turn ON DNSSEC at Namecheap, DNS goes to shit and dnsviz.net throws those errors.

BTW I am not hosting anything at www.abberantic.com and for this exercise don’t care that it goes to MIAB. None of my other domains web sites will be served from here. They’ve been happily on another VPS at Linode for years.

I’ve checked your domain (since you were kind enough to provide it) seems all is ok

I’m not sure what dnsviz.net is actually complaining about. It looks like you should be getting mail just fine. (although you are on one blacklist)

LISTED SEM FRESH abberantic.com was listed Detail 1 35

Please review → https://www.warmupinbox.com/post/sem-fresh-blacklist
This might be from a new domain registration?

Sending mail might be wonky to some providers if they check this blacklist.

Just sent you a test message to your email - I think I discovered the right one. Let me know if you get it e---@abberantic.com

Chris

Just sent you a test message to your email - I think I discovered the right one. Let me know if you get it e—@abberantic.com

I know about the SEM FRESH, I just registered abberantic.com last week…! Nothing here to look at.

I currently have DNSSEC turned OFF. The problems arise when I turn it ON. I haven’t tested mail deliverability when it is ON, but I’m concerned about the MIAB status checks and the dnsviz.net errors.

OK I’ve turned on the DNSSEC at Namecheap. MIAB status goes red:

DNS MX record is not set.
autoconfig.abberantic.com: This domain should resolve to your box’s IP address
…etc…

Only thing I changed was to turn on DNSSEC.

Any other ideas what might be wrong?

Evelyn,

I tried sending you some follow up emails and just received the bounce back (still being retired)

Did you change any of your DNS records? Seems mail isn’t working properly now…

Ah, yes, in between getting your 1st email - which I received and replied to, and seeing this, is the part where I turned ON the DNSSEC at Namecheap.

The values I am entering for Key Tag, Algorithm, Digest Type, and Digest Value are the ones given to me by MIAB.

BUT I’m wondering if those values are only relevant if I’m using MIAB’s built-in Nameserver?

Registrar: Namecheap
DNS zone info: Linode
What values do I put where?

I deleted the DNSSEC entries out of Namecheap, clearly they’re not helping.

If I use Namecheap’s DNS for my zone files, and THEN turn on DNSSEC there, they’ll generate something for DNSSEC but I don’t know how that would tie in to MIAB?

Question for those using DNSSEC, and using external DNS servers:
What values are you using for Key Tag, Algorithm, Digest Type, and Digest Value?

It doesn’t and it hasn’t to. If you’re using external DNS you can just ignore the entries for DNSSEC on the status page of Mail-in-a-Box.

The zone gets signed on the authorative nameserver for your domainname and then you have to add the values from the DS record you get ( Key Tag, Algorithm, Digest Type, and Digest Value ) to the DNSSEC-settings of your registrar.

If Namecheap is both your DNS provider and registrar you would generate the Keys somwhere in the Domain-settings-section of Namecheap and then add the values you get from there to the DNS-settings section. Or this process may even work automatically if you activate DNSSEC in both places. In order for it to work that way you must of course use their nameservers for your domain.

Thanks @miabuser, this what I just concluded. If I switch to using Namecheap as my nameserver, enter all my zone records there, then turn on DNSSEC for the domain - I believe they will generate all the DS, DNSKEY, RRSIG, etc, records.

And I think if I need to change any of the records, like add/delete an A or TXT, I need to turn off DNSSEC first. After reading it seems DNSSEC records are generated from a hash of the zone’s other records (A, AAAA, TXT, etc), and it seems Namecheap generates them automatically but isn’t smart enough to re-generate them automatically when you change the zone records.

Exactly.

I don’t know Namecheap. But most DNS providers do re-sign the zone automatically after you changed any records and you wouldn’t generate new keys only for changing or adding normal DNS records. But if you change the nameservers for your domain, you have to delete the existing entries in domain-settings section, respective at your registrar and add the new values generated on your new nameservers.

I turned DNSSEC off at Namecheap, switched my zone records over to Namecheap, and then enabled DNSSEC. It seems to be working fine, according to DNSViz.com.

My MIAB system status complains about the DNSSEC DS record being incorrect, but I guess that is only because it doesn’t match it’s hash of it’s suggested zone records. I’m going to ignore that. It’s not checking that it’s not the authoritative nameserver, and shouldn’t care about the DS records.

Evelyn

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.