DNSSEC (DS records) and External DNS

lamberete · May 14, 2025, 7:27am

Hello.
After searching about my doubt, I’ve found this comment from JoshData about DNSSEC should not be used unless you have a legal requirement.

https://discourse.mailinabox.email/t/dnssec-ds-record-is-incorrect-with-external-dns/11376/6

I would like to ask and understand a couple of things:

Does that only apply to External DNS or is DNSSEC not recommended when using MIAB built in DNS server too?
For External Server, shall I just disable DNSSEC at my provider and remove any DS record? Or would it help somehow to enable DNSSEC there and ignore all related errors at MIAB host?
Depending on the above answers… would it make sense to change those error/warning messages and its level? (just to avoid people like me making this questions here in the future).

Thanks in advance.

KiekerJan · May 16, 2025, 6:19am

My view is that DNSSEC is required for supporting DANE. Because Mailinabox supports DANE, it implements DNSSEC. However, widespread support of DANE is not a thing. I think Microsoft supports it, but e.g. gmail does not.
DNSSEC can be a complicating factor when configuring DNS, I recommend disabling it when doing DNS related changes. Once it’s running, I have found it to be painless.
For external DNS there is nothing Mailinabox can do to support DNSSEC. It’s builtin checks cannot (at the moment) detect whether external DNS is used or not, thus the checks will warn you.
It is perfectly possible to enable DNSSEC for external DNS, but it depends on your DNS provider. In that case, ignore the dns warnings.

TLDR

In my opinion, you should enable it if you can. It does not hurt
If using external DNS (with or without DNSSEC) ignore the warmings Mailinabox provides
When performing DNS maintenance (e.g. moving domains, changing stuff at the domain registrar) disable DNSSEC first

lamberete · May 16, 2025, 6:38am

Thank you!

So once everything is settled, I can enable External DNSSEC, but I don’t need to configure any DS record, as MIAB DNS Server won’t be signing anything with that (as it is disabled), right?

So this messages can be safely ignored (and I could even remove existing DS records):

Warning: DNSSEC 'DS' record set at registrar is valid but should be updated to ECDSAP256SHA256 and SHA-256 (see below). 

Error: This domain's DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine's DNS server.