DNSSEC Undo/disable


Is there a installation/configuration option for mail-in-a-box where I can explicitly turn off DNSSEC? I tried setting it up with my registrar but since my registrar and DNS service provider are two separate companies with different ideas about DNSSEC, with my own DNS servers in between, it all failed spectacularly. I’ve removed the DS records at the registrar again but mail-in-a-box still puts all the RRSIG and DNSKEY values in the zone files it transfers out when I appoint a xfr:… secondary.

After some digging around the internet I found that DNSSEC is not really getting much traction out there with a steady consensus building that it’s more trouble than it’s worth. I don’t have enough to judge on, but it looks like for me DNSSEC just gets in the way and I’d like to turn it off completely.

There seems to be provision in the github code for main-in-a-box running with DNSSEC disabled, but I don’t know how to disable it. I have two instances for different domains and only ran the DNSSEC experiments on the one, but both seem to be behaving the same with regards to the DNS records it outputs. Also there are .ds and .signed files in /etc/nsd/zones on both machines which suggests that both are by default running with DNSSEC signing turned on.

Other forum posts this matter have been closed already and didn’t address my requirement exactly, so I would appreciate any help on how to convince mail-in-a-box to not do any of the DNSSEC things it is doing.

I’m no expert either, but if you’re using external DNS, you can probably just ignore the messages about DNSSEC in the admin interface if you can’t or don’t want to use it, and you should be fine.

DNSSEC is, as the name suggests, purely a DNS thing, so if you’re not using Mail-in-a-Box to provide DNS for your domains, there’s no need to disable anything. I mean, in theory you could disable or remove NSD altogether, which is the authoritative DNS server provided by Mail-in-a-Box. However, changes like that are not supported, so I’d say the only real option in this case is to just ignore the messages about DNSSEC.

Someone please correct me, if I’m missing something here…

It’s more than just messages about DNSSEC on the admin Status Checks. When the zones are transferred to a secondary name server the records are all signed with RRSIG attributes and DNSKEYS as they would be when DNSSEC is being used.

The presense of those fields in the zone files makes them really cumbersome to work with, and that’s the main reason I’d like to “tell” MiaB to exclude them. Does that make more sense?

As far as I have experimented with NSD it does not have DNSSEC enabled out of the box. Something in the MiaB installation activates DNSSEC in NSD and I’m looking to undo that if possible. I don’t wish to disable or remove NSD completely since it serves a valid purpose.

I think zone files with dnssec are always generated by the daily update. Even if you’re not using it.

Yes, that certainly correlates with my observations.

Now how do I change that?

I don’t specifically care whether or not the .ds and .signed files are being generated. I just don’t want the zone records as sent out via zone transfer to include the DNS related signatures and keys when DNSSEC for that zone isn’t actually active.

Perhaps there is a config setting applied somewhere NSD that either responds to the presense of the .ds and .signed files or that causes them to be generated and used or makes NSD think it should operate in DNSSEC mode in some other way.

Look at the code. Mail-in-a-Box mainly uses standard config files and the scripts are in BASH and Python. You will probably need to do some scripting anyway in order to redo your changes after a Mail-in-a-Box upgrade. At least as long as your proposal has not been approved :wink:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.