Admin GUI Warning-Message: “This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately by following the instructions provided by your domain name registrar and provide to them this information.”
DNSSEC is set to [S] (self sig) when drill -DT domainname.name. The following noteworthy warnings appear:
Warning: No trusted keys were given. Will not be able to verify authenticity!
;; Domain: .
;; Signature ok but no chain to a trusted key or ds record (…)
[S] domainname.name. 1800 IN A xx.xxx.xx.xxx [IP of the box]
dig DS domainname.name @22.214.171.124 shows two entries with a status: NOERROR reply.
dnsviz.net shows no errors and chains valid.
Verisign labs (dnssec-debugger.verisignlabs.com) shows all green check marks, but there is one exclamation mark when going into the detailed view with the following information: S=20326/SHA-256 is published, but a corresponding DNSKEY is not
Analyzing mail headers from box outbound mails shows the following noteworthy info:
SPF HELO PASS SPF: HELO matches SPF record
DKIM SIGNED Message has a DKIM or DK signature, not necessarily valid
T DKIM INVALID DKIM-Signature header exists but is not valid
There has been enough time passed (mind. 96hrs) since last updates. Something seems fishy. Any help?