DNSSEC 'DS' record is incorrect with external DNS

I have configured external DNS and enabled “DNSSEC Status” (with my domain provider “Netcup”).
However, MiaB status check shows error:
This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server.

I cannot set a DS record because the Registrars don’t allow this when using Registrars nameservers.

I performed a validation of my domain miab.mydomain.example with dnsviz.net, but I cannot identify an error.
The validation with dnsviz.net for domain mydomain.example fails with error:

The TTL of the RRset (10800) exceeds the value of the Original TTL field of the RRSIG RR covering it (0).
The cryptographic signature of the RRSIG RR does not properly validate.

Can you please advise how to fix this?


Hello! I couldn’t find anything similar in my external DNS records. But DNSSEC works correctly for me after I installed all the certificates. Is everything ok with the certificates in the system status? In particular mta-sts

All domains and subdomains are signed and valid.

It’s not possible (or practical) to use Mail-in-a-Box’s DNSSEC functionality when using external DNS because Mail-in-a-Box can’t set the right DNSSEC records then, and they need to be updated periodically. And Mail-in-a-Box doesn’t know that you aren’t using its DNSSEC functionality, so you should just ignore that in the status checks.

It’s also not possible if your registrar doesn’t support DS records, but I didn’t exactly understand what you meant there.

I no longer believe DNSSEC should be used unless you have a legal requirement to do so, so I would just skip it if you can.

1 Like

I fully agree to this conclusion and well ignore related error messages or warning accordingly.

Therefore this issue can be considered as ‘closed’.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.