DNSSEC Setup with external DNS

Greetings! I’m finishing up my first MIAB setup. I’m using my domain registrar’s name servers, and just configured reverse DNS with my VM host. My root is hosted separately and does not point to my MIAB (let’s call it box .mysite .com). My system status checks output includes the following.

box .mysite .com

:heavy_multiplication_x: The DNSSEC ‘DS’ record for mysite .com is incorrect. See further details below.

? Nameserver glue records (ns1 .box .mysite .com and ns2. box .mysite .com) should be configured at your domain name registrar as having the IP address of this box ( They currently report addresses of [Not Set]/[Not Set]. If you have set up External DNS, this may be OK.

mysite .com

:heavy_multiplication_x: This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately by following the instructions provided by your domain name registrar and provide to them this information:
* some details including mismatched values for Key Tag, Algorithm, and Digest, along with a sample DS record *

The ? warning appears to be nonapplicable since I am not using my MIAB for DNS. My domain registrar has a DNSSEC option which has been enabled, which I expect is the cause of the mismatched values.

I have a CNAME for box .mysite .com pointing to my VM host, so I can’t add DNS records (such as DS) directly in my registrar. So, I’m guessing that configuring DNSSEC would require some kind of support from my hosting provider? Any clarification is appreciated!

Spaces added to URLs so they’re not formatted as links.

The warning for the glue records can be ignored, yes.

Presumably, you gave the registrar the values provided by your DNS provider, not MiaB - correct?

I am sorry, but this doesn’t make sense. You point an A record at the IP address of the VPS.

Your registrar will take care of this themselves if they are your DNS provider (which I believe you indicated to be the case). Who is your registrar?

DNSSEC has nothing to do with your actual hosting of the VPS, It has to do with the hosting of the name servers. Which, as you have indicated, is with your domain registrar.

Thanks for the responses! :smile:

I’m using Google Domains; they provide my nameservers and offer straightforward DNS configuration. But…

I have a CNAME on Google Domains, which points to an FQDN resolved by Azure to my VM’s IP. Perhaps this is the issue, since Azure DNS does not support DNSSEC… However, I’m not using “Azure DNS” per se, but their Public IP Address option (see relevant documentation).

Perhaps I should try pointing directly to the IP and see if that resolves it…?

Which values are we referring to? No, I do not have a custom DS record specified, if that’s what you’re asking. Since my registrar is my DNS provider, perhaps that’s not the issue?

Disable this with your registrar. Wait 48 hours (per Google Domains documentation). Then re-enable it.

I’ll give this a shot. Thanks!

Error message is gone after disabling DNSSEC. Now I’ll re-enable…

1 Like

Error message is back after re-enabling DNSSEC. :confused:

Is it possible that the TLSA records are the issue? At setup, I used the values from MIAB for _25._tcp.box and _443._tcp.box and added those records in Google Domain’s DNS.

AFAIK, no. It should not be.

Can you provide step-by-step details (or screen caps) of exactly how you re-enabled DNSSEC? You can, of course share this privately if you’d prefer.

Actually, please PM me your domain name so I can check DNSSEC and see where the issue may lie.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.