DNSSEC with external DNS

Hi there, I’m running MiaB since some month and I’m really happy with it! There is just only one thing, I’d like to switch from the built-in DNS to Cloudflare. Now I’m not quite sure how to setup DNSSEC correctly: to use DS records provided by my MiaB or to enable DNSSEC at Cloudflare?

If I use DS records provided by MiaB then I get the following errors:
-The nameservers set on this domain are incorrect. They are currently [Not Set]. […]
-This domain’s DNS MX record is not set. […]
-This domain should resolve to your box’s IP address […]

If I enable DNSSEC at Cloudflare, I see the following errors in my MiaB:
-This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server. […]
-The nameservers set on this domain at your domain name registrar should be […]

I already know that errors on the status page are ok when using external DNS. However both ways seems a bit suspicious to me. From my understanding I’d prefer using MiaB’s DS records but I’m not 100% sure, so I’d like to hear your advice.

If you switch from MiaB’s DNS to Cloudflare’s you need to REMOVE the DNSSEC record from your domain registrar FIRST. The fact that you are getting this error, says that you are not doing so:

You must disable it, change the name servers, then re-enable DNSSEC with the registrar. The keys are provided by the DNS server itself.

You use the DS records provided by your DNS provider - in your desired scenario, Cloudflare.

@alento Thanks for your fast reply!

No, wait, I’ve already done this step successfully. First I removed DNSSEC record from my domain registrar and then switched the nameserver to Cloudflare. Until here everything is fine, only the obvious error that Cloudflare’s nameserver are used instead of my MiaB’s. Nothing else.

Furthermore I have to add (sorry I see only now, I forgot to mention it) that of course in both cases Cloudflare had the DS entries. It was meant just that way: when using those by MiaB provided parameters for DNSSEC, I added the appropriate DS record at Cloudflare; in case when Cloudflare managed DNSSEC itself, Cloudflare added the DS record automatically.

So in both cases Cloudflare had a DS record, which I afterwards added to my domain registrar. The differences were only that in case 1 I used a DS record provided by MiaB and in case 2 one that was generated by Cloudflare. But as you can see in both cases I had those errors where I’m not sure if I’ve done everything right.

Ok, I’ve setup DNSSEC at Cloudflare as suggested by @alento and the error from my first posting persists. Apparently, it’s an expected behavior like e.g. mentioned here:


@limitless

My apologies, not sure where my head was when I replied the other day, but my response was only partially correct. I was preparing to go out of town for the weekend and my reply was too hurried - again apologies.

If you get the error shown when MiaB is supposed to be handling DNS, it is usually a problem with DNSSEC not being disabled at the registrar level for the previous name servers. My advice was sound for that part of the equation

HOWEVER

If you are getting the error when DNSSEC is being provided by another name server then my suggestion is to check that DNSSEC is properly set up using the following (or similar tool)

https://dnssec-debugger.verisignlabs.com/

Because, yes MiaB will show it to be incorrect as MiaB is not controlling it as it expects to be.

1 Like

Thanks for coming back to my topic @alento!

I’ve already checked through dnsviz.net (which was provided by Cloudflare) and it seems the DNSSEC settings are correct. I think I was just a bit confused because I didn’t really thought about how DNSSEC works and the errors did the rest :grin:

I’ve moved my secondary domain to Cloudflare first, now I’d like to proceed and move the main MiaB’s domain. I have only one more question and would be really thankful, if you could confirm my thoughts:
MiaB’s DNS server is designed to create for each added (sub-)domain records which would be needed to send Mails using those. So it adds MX, DMARK and DKIM records for subdomains like e.g. www.domain.com, box.domain.com.
However I’d like to keep an overview for all my DNS records and therefore I’d like to leave away any record that I don’t need. I’m assuming that only the following records are really needed and nothing more?

MX, SPF, DKIM, DMARK only for domain.com
SRV for all needed services
SSHFP, TLSA

Btw. I’m just wondering why there are no TLSA records used for IMAP and SMTP at MiaB?

Personally, I go even leaner … but then again I do not usually use things such as carddav or caldav … For each domain, I set the MX, SPF, DKIM, and DMARC record. For the domain that the MiaB install is hosted on, I include the A record. In addition, the necessary records for any services that are hosted elsewhere (such as www, etc.).
As for the sub-domains, I do add the records for sub-domain which is the hostname for MiaB as earlier releases of MiaB would create the primary email address in the format of user@box.domain.tld. MiaB has moved away from this format, but I continue to use it for admin purposes.

Honestly, I am not really familiar with either type of record. So I had to put my Google search abilities to work. I think that the answer lies in the comments on the admin page …

Recommended when DNSSEC is enabled. Advertises to mail servers connecting to the box that mandatory encryption should be used.

Optional. When DNSSEC is enabled, provides out-of-band HTTPS certificate validation for a few web clients that support it.

As I am unfamiliar with TLSA records in the first place … I can only speculate that dovecot controls the security for IMAP and SMTP in a way that either renders the presence of a TLSA record as unnecessary or unsupported. Maybe someone else with more experience in this area can chime in? :slight_smile:

1 Like

Thanks for your reply, @alento!

That’s a good point, which I totally forgot about. You mean the MX, SPF, DKIM, and DMARC records for the MiaB hostname? As for me, I didn’t understood right from the beginning what for there are mail addresses and aliases like administrator@box.domain.com, postmaster@box.domain.com etc. needed/created :grin:
As you said, MiaB moved away from this format, so I’d assume if I don’t need them it should be ok not adding those records as they are not necessary? I guess I’d only need to edit the already existing aliases, because all my admin, postmaster and abuse aliases forwards to the administrator@box.domain.com which at the end forwards to my main admin address. Furthermore, I think in that case those subdomain-aliases should be automatically removed, too?

From the comments on the admin page and some google searching I understood that TLSA records provide another layer of security, so I don’t see why I shouldn’t add them. What about TLSA for IMAP and SMTP, I guess I saw those somewhere already, that’s why I was wondering why they are not used here, which I noticed only now.

But of course, would be awesome if somebody can explain why TLSA records are not used for IMAP or SMTP, maybe @JoshData?