Error messages after setting up ECDSAP256SHA256 DNSSEC

Hi everyone,

there are already some threads about this topic, but I think my problem is different than the ones in the other threads.

After updating to version 0.54 I got the warning that the DNSSEC algorithm should be updated to ECDSAP256SHA25. At my DNS registrar (gandi.net) this was fairly straight forward and worked well.

Only problem: now I had two DNSSEC keys. Because the warning did not go away after some time I deleted the old DNSSEC key (this is where I might have messed up). I think the old key was some version of SHA-1.

It seems that everything is still working (I can receive/send emails and access the box via the domain), but the status page is full of errors:

  • :heavy_multiplication_x: The DNSSEC ‘DS’ record for $DOMAIN is incorrect…
  • :heavy_multiplication_x: Nameserver glue records are incorrect…
  • :heavy_multiplication_x: This domain must resolve to your box’s IP address $ADDRESS …
  • :heavy_multiplication_x: Your box’s reverse DNS is currently $DOMAIN (IPv4) and [timeout] (IPv6), but it should be…
  • ? The DANE TLSA record for incoming mail is not set. This is optional.
  • This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server…
  • :heavy_multiplication_x: The nameservers set on this domain are incorrect. They are currently [Not Set].

Now these errors seem pretty serious, but at the same time everything seems to be still working.

So my questions are:

  • Is the problem that I deleted the old DNSSEC entry (too early)? If so can I fix this somehow?
  • Or is it not related to the deletion of the old DNSSEC entry and I somehow did not setup the new DNSSEC entry correctly?

I’m not sure how these problems could be related to changing a DNSSEC record.

Do you have any modifications to MiaB?

3 posts were split to a new topic: Error messages after setting up ECDSAP256SHA256 DNSSEC take 2

I do not know if any of these will fix your problem, but these fix problems for me:

Log out of MiaB, then log back in.
Run sudo mailinabox

This is assuming the server packages have been updated, I use apt and haven’t had issues.

If DNSSEC is set up incorrectly, all DNS will fail as the chain of trust will not exist between the registrar and the MiaB box.

1 Like

Would MiaB see the glue records or nameservers correctly?

Seems possible since they are published by the registry (in addition to the box).

Hi all, thanks for your fast replies!

I think most of the error messages stem from the DNSSEC issue. Quite a few of the errors have the information: “This problem may result from other issues listed here.”

The IPv4/IPv6 reverse DNS issue is most certainly because I can’t set reverse DNS for IPv6 with my cloud provider (Scaleway).

No, I just use it out of the box without any changes. Domain registered with Gandi and VPS on Scaleway.

When using sudo on the VPS I also get: “This problem may result from other issues listed here.” Not sure if that is related.

I tried that unfortunately it did not change anything.

Is there a way to fix this without reinstalling MIAB on the VPS?

Also, I remember that after upgrading I just had the warning about using a different DNSSEC algorithm. And once I set that up with the Domain registrar as described above, I got all of these warnings, so I am quite certain that it is the DNSSEC causing the issues.

Do all of the records at the registrar match what MiaB is expecting, as verified by some external to MiaB tool?

$ dig +dnssec +short $DOMAIN

only returns the IP address, I guess this means DNSSEC is not set at all?

So either it takes more than 2 days for Gandi to propagate the DNSSEC information or the DNSSEC key is incorrect? It could of course be a Gandi interna problem.

From the Gandi dashboard it all looks good…

How about just dig ds example.com +short?

Also whois example.com?

You could also try https://dnsviz.net to see what that tells you.

That returns just my IP address. Edit: did not see the ds. With ds it returns nothing.

That returns a whole bunch of stuff. If I grep for “DNSSEC” I get: DNSSEC: signedDelegation

But I think I might have found the problem… :slight_smile:

It seems I copied more than just the public key in the public key field for DNSSEC at the domain registrar. I’ll try to correctly recreate the key and hopefully that fixes it.

Thanks for your help! I’ll keep you updated if that was the problem.

The WHOIS query also returns the DS records. If I understand DS records correctly, they are served by the registry.

Yes, the purpose of this is to verify the data entered and other related issues by figuring out what is being served by the registrar/registry.

It fixed it! Thanks a lot for the help! Next time I’ll be more careful when copying/pasting…
I did not think that this DNSSEC information would propagate so fast.

2 Likes

Closed and moved unresolved issue for different user @danp to it’s own topic.