DNSSEC warnings

@JoshData @v60fan @alexweissman @sj660 I am running into warning message(s) related to DNSSEC, maybe disussed here too “Pre-custom-algo DNSSEC key migration not working(?)” and/or “dnssec warning”.

Admin GUI Warning-Message: “This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately by following the instructions provided by your domain name registrar and provide to them this information.”

  • DNSSEC is set to [S] (self sig) when drill -DT domainname.name. The following noteworthy warnings appear:
    Warning: No trusted keys were given. Will not be able to verify authenticity!
    ;; Domain: .
    ;; Signature ok but no chain to a trusted key or ds record (…)
    [S] domainname.name. 1800 IN A xx.xxx.xx.xxx [IP of the box]

  • dig DS domainname.name @8.8.8.8 shows two entries with a status: NOERROR reply.

  • dnsviz.net shows no errors and chains valid.

  • Verisign labs (dnssec-debugger.verisignlabs.com) shows all green check marks, but there is one exclamation mark when going into the detailed view with the following information: S=20326/SHA-256 is published, but a corresponding DNSKEY is not

  • Analyzing mail headers from box outbound mails shows the following noteworthy info:
    SPF HELO PASS SPF: HELO matches SPF record
    DKIM SIGNED Message has a DKIM or DK signature, not necessarily valid
    T DKIM INVALID DKIM-Signature header exists but is not valid

There has been enough time passed (mind. 96hrs) since last updates. Something seems fishy. Any help?

I’ve gotten the DNSSEC error before, but it has tended to be transient.

I would be more concerned about your DKIM error message. Are you using MiaB as the DNS for this domain?

@alexweissman Yes, that’s correct: MiaB is used as the DNS for the domain (and no second domain is or was installed on this box).

@alexweissman What`s your (or somebody elses) output when analyzing mail headers in regards to DKIM signature? Any help on this? DNSSEC warning in GUI still permanently showing up. Thanks a lot.