Dnssec warning with .be domain


I have setup mailinthebox just like the tutorial at Digital Ocean with fresh ubuntu 14.04
To keep all variables clean I did everything according the tutorial and bought a SSL cert at Gandi.
When I set the Dnssec at Gandi (just like the tutorial) for one of my hosted domains owncloud-hosting.be I get a notification “This domain’s DNSSEC DS record is incorrect”.

After searching I see that in version 16 that the change log noted .be domains now offer DNSSEC options supported by the TLD. The algorithm changed from 7 (RSASHA1-NSEC3-SHA1) to 8 (RSA/SHA-256).

When I test the dnssec online with http://dnssec-debugger.verisignlabs.com everything is green and ok
So how do I interpret the “This domain’s DNSSEC DS record is incorrect” message ?

edit: how do I proceed ?

I used another tool and your setup does look correct.

On a different note the above reveals you might want to be sure your glue records also have IPv6 to match and eliminate the warnings shown.

I’m a bit stumped why you see the notification of DS being incorrect. Can you post a bit of the detail of the message?

Hi v60fan,

Thank you for your time to help me.
The Detailed message:

This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately by following the instructions provided by your domain name registrar and provide to them this information:
Key Tag: 58087
Key Flags: KSK
Algorithm: 8 / RSASHA256
Digest Type: 2 / SHA-256
Digest: fa9bbe6f6b144fafec35c655a8ff7165c7e986d152b11e0b206efb5d45bca7d7
Public Key:
Bulk/Record Format:
owncloud-hosting.be. 3600 IN DS 58087 8 2 fa9bbe6f6b144fafec35c655a8ff7165c7e986d152b11e0b206efb5d45bca7d7

edit: I just changed the Glue record management at Ghandi with added ipv6 addresses (Thanks I missed this !!!)

How much time has passed since you made the update? It does have to propagate. When I look onto dig, I find your DS record fine.

dig DS owncloud-hosting.be @

After I read your post and visited the link dnsviz.net I saw that I forgot to add the ipv6 to my glue records at Gandi.
1 minute after that I added the records and always wait min 4 hours to propagate before check again.
I have a lot of other stuff to do for clients. DNS stuff are always planned in the morning and I just pick up the work in the afternoon after lunch :wink:
Just my rule of thumb to keep working and not checking the whole time.

The dig looks good though… Also the ipv6 propagated while typing this message.

From server side I have no clue where to start troubleshooting this.
I guess I try to look at the git repo for this message and work my way back.

Do you have two mail-in-a-box instances?

I ask because I noticed your nameservers are ns1.mail.liquid-hosting.be (and ns2.) rather than owncloud-hosting.be so it seems like your owncloud-hosting isn’t doing its own DNS.

So this is another possible reason, though maybe I misunderstand your setup?

The main setup for this server is with hostname liquid-hosting.be
Also with the corresponding name server and glue record setup values:
ns1.mail.liquid-hosting.be || ns2.mail.liquid-hosting.be

FYI: I do not have two mail-in-a-box instances (want to keep everything according tutorial to keep variables constant)

From that I have several domain names hosted on the box.
The Drupal | Wordpress and Owncloud (for big customer files) I have A records pointed to other servers that will handle the PHP based websites and with backend (no pub ip) mysql servers.

mailserver -> webserver -> mysql server

The box as I use it is designed to serve as DNS server and mailserver only as designed by Joshua.

The .com | .org and .net are working fine with DNSSEC while having the PHP related websites pointing to other servers. The message I get from these domain names are: “DNSSEC ‘DS’ record is set correctly at registrar.”

I only have problems with the .be domain names and thought by looking at the changelog this was already addressed 30th Jan 2016.

Further I really appreciate your help

Hi again. I understand the setup now and that should work fine. Perhaps it’s something specific to the .be since you say the others are working fine. As you reference, maybe the fix in the changelog isn’t yet really working.

@JoshData How can I help you with system logs or other info to look into this ?
I don’t know what the experience is from @erik and @Hoekynl

Hello @sssmoves,
I’ve got the same message for my .be domain name. All other domains (.nl / .com / .eu, registered and hosted at the same hosting provider) are all working perfectly. Only the .be is giving the warning. Version 16 did fix some other warnings, but this one remains. No clue what’s wrong.

@sssmoves I’m not sure what you’re trying to fix. DNSSEC looks good to me:

$ drill -DT owncloud-hosting.be 
(lots of stuff...)
[T] owncloud-hosting.be.	1800	IN	A

The [T] means it’s correct, I think.