DNSSEC DS record is incorrect

Linuxdutch · June 24, 2022, 9:45am

Hello,

I just started a mailinthebox server on a vps. I have an cloudflare domain with ddnsec enabled and I get the error message from mail in the box:

“This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately”

Can I do something about it or can I ignore this?

Regards,

Linuxdutch

openletter · June 24, 2022, 11:42am

If you are not using the MiaB DNS server, you will get this and probably other messages on the status checks page.

Linuxdutch · June 24, 2022, 1:43pm

Ok thanks so I can ignore those messages…? Email is working btw.

openletter · June 24, 2022, 1:44pm

I think more correct is the message is communicating an expected condition. The messages really should never be ignored.

Linuxdutch · June 24, 2022, 1:47pm

Because I am using nameservers from the cloudflare domain, I’ll get those messages. Everything else is in the green accept the dns… So this is normal behaviour from Mailinthebox because I don’t use the box nameservers…

Linuxdutch · June 24, 2022, 1:59pm

I am still missing the records from MTA-STS policy how can I make those? And I can I put them in the cloudflare dns?

openletter · June 24, 2022, 2:04pm

I forget the order of getting this configured, but it’s something like create a DNS a record for mta-sts.example.net, then create a TLS certificate for mta-sts.example.net, then the status checks page will tell you to create a DNS txt record for _mta-sts.example.net.

Linuxdutch · June 24, 2022, 2:05pm

Ok so I need to make this for my root domain.com? or the box.domain.com?

openletter · June 24, 2022, 2:06pm

For whatever domains status checks is telling you the the policy is missing on.

Linuxdutch · June 24, 2022, 2:07pm

Roger that, lot of work then haha for a own mailserver! But I love it!

openletter · June 24, 2022, 2:08pm

It is a fraction of the work compared to configuring everything yourself.

Linuxdutch · June 24, 2022, 2:10pm

Your right about that. I love your project, better than the competition!

openletter · June 24, 2022, 2:13pm

Well, it isn’t “mine”, but for the use-case of a server capable of supporting <150 active users and not requiring user roles, it’s the easiest and cheapest project to use. Some people do point to something like Mailcow because it runs in a container, but the resource requirements make the server a lot more expensive per month, at least from a percentage perspective. There are people running MiaB on 512MB servers!

Linuxdutch · June 24, 2022, 2:32pm

Well I am running Miab on a 2 gb 2 core vps on an older processor intel xeon 5, even Yunohost didn’t like this server cause of not streaming capable… But I am happy Miab is running wel. Now I am still trying to fix the mta error… haha Miab already has a txt file for it only need to make a working dns record.

lamberete · June 25, 2022, 12:15pm

I have the same scenario, as I also have external DNS.
I’d love to be able to “mark” which domains are Miab-dns managed and which ones are externaly managed so this errors/warnings do not produce “noise” y the status check.
I think it could be my second contribution to miab, but unsure if it will get accepted (my previous contribution wvs a bug-fix).

Does any one knows where I can discuss about this before working on it?

openletter · June 25, 2022, 12:18pm

You might try posting what you want to do to the GitHub issues and see what kind of response is generated.

system · July 2, 2022, 12:18pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.