there are already some threads about this topic, but I think my problem is different than the ones in the other threads.
After updating to version 0.54 I got the warning that the DNSSEC algorithm should be updated to ECDSAP256SHA25. At my DNS registrar (gandi.net) this was fairly straight forward and worked well.
Only problem: now I had two DNSSEC keys. Because the warning did not go away after some time I deleted the old DNSSEC key (this is where I might have messed up). I think the old key was some version of SHA-1.
It seems that everything is still working (I can receive/send emails and access the box via the domain), but the status page is full of errors:
The DNSSEC āDSā record for $DOMAIN is incorrectā¦
Nameserver glue records are incorrectā¦
This domain must resolve to your boxās IP address $ADDRESS ā¦
Your boxās reverse DNS is currently $DOMAIN (IPv4) and [timeout] (IPv6), but it should beā¦
? The DANE TLSA record for incoming mail is not set. This is optional.
This domainās DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machineās DNS serverā¦
The nameservers set on this domain are incorrect. They are currently [Not Set].
ā¦
Now these errors seem pretty serious, but at the same time everything seems to be still working.
So my questions are:
Is the problem that I deleted the old DNSSEC entry (too early)? If so can I fix this somehow?
Or is it not related to the deletion of the old DNSSEC entry and I somehow did not setup the new DNSSEC entry correctly?
I think most of the error messages stem from the DNSSEC issue. Quite a few of the errors have the information: āThis problem may result from other issues listed here.ā
The IPv4/IPv6 reverse DNS issue is most certainly because I canāt set reverse DNS for IPv6 with my cloud provider (Scaleway).
No, I just use it out of the box without any changes. Domain registered with Gandi and VPS on Scaleway.
When using sudo on the VPS I also get: āThis problem may result from other issues listed here.ā Not sure if that is related.
I tried that unfortunately it did not change anything.
Is there a way to fix this without reinstalling MIAB on the VPS?
Also, I remember that after upgrading I just had the warning about using a different DNSSEC algorithm. And once I set that up with the Domain registrar as described above, I got all of these warnings, so I am quite certain that it is the DNSSEC causing the issues.
only returns the IP address, I guess this means DNSSEC is not set at all?
So either it takes more than 2 days for Gandi to propagate the DNSSEC information or the DNSSEC key is incorrect? It could of course be a Gandi interna problem.
That returns just my IP address. Edit: did not see the ds. With ds it returns nothing.
That returns a whole bunch of stuff. If I grep for āDNSSECā I get: DNSSEC: signedDelegation
But I think I might have found the problemā¦
It seems I copied more than just the public key in the public key field for DNSSEC at the domain registrar. Iāll try to correctly recreate the key and hopefully that fixes it.
Thanks for your help! Iāll keep you updated if that was the problem.
It fixed it! Thanks a lot for the help! Next time Iāll be more careful when copying/pastingā¦
I did not think that this DNSSEC information would propagate so fast.
The DNSSEC āDSā record for $DOMAIN is incorrectā¦
