Everything works, but two tests

NicolasJ 2017-05-19 07:05:06 UTC #1

I've setup my MiaB for two domains and everything works so far, but the system status check returns errors that seems to not exist.

I got two errors, one about the ipv6 and one about dnssec.

ipv6 resolution test fails

Domain is many.be, system status check returns:

This domain should resolve to your box's IP address (AAAA 2001:41d0:0008:bd48:0000:0000:0000:0001) if you would like the box to serve webmail or a website on this domain. The domain currently resolves to 2001:41d0:8:bd48::1 in public DNS. It may take several hours for public DNS to update after a change. This problem may result from other issues listed here.

and dig aaaa returns:

dig AAAA many.be

; <<>> DiG 9.10.3-P4-Ubuntu <<>> AAAA many.be
;; global options: +cmd
;; Got answer:
;; ->>HEADER<;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;many.be. IN AAAA

;; ANSWER SECTION:
many.be. 1800 IN AAAA 2001:41d0:8:bd48::1

;; AUTHORITY SECTION:
many.be. 59 IN NS main.jungers.net.
many.be. 59 IN NS ns1.mail.many.be.
many.be. 59 IN NS back.jungers.net.

;; ADDITIONAL SECTION:
ns1.mail.many.be. 59 IN A 5.135.182.72
ns1.mail.many.be. 59 IN AAAA 2001:41d0:8:bd48::1
back.jungers.net. 1621 IN A 65.254.53.51
main.jungers.net. 1621 IN A 95.46.199.31

;; Query time: 107 msec
;; SERVER: 192.168.0.9#53(192.168.0.9)
;; WHEN: Fri May 19 08:54:40 CEST 2017
;; MSG SIZE rcvd: 212

DNSSEC record is incorrect

Same thing, domain is many.be, system status check returns:

The DNSSEC 'DS' record for many.be is incorrect. See further details below.

and

This domain's DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine's DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately by following the instructions provided by your domain name registrar and provide to them this information:
Key Tag: 41710
Key Flags: KSK
Algorithm: 8 / RSASHA256
Digest Type: 2 / SHA-256
Digest: 37b1d8d42b8f2a3985dcd7aeb8a2e65dd455916f67ab6dc19fcf7b4d9355c4d7
Public Key:
AwEAAae8mv9XVrzUL0wDguQ3csfcdC+Qmh3gvNITspA2bSjy6e9gzf0V87yzTTbHHjE75noYChlrKtqwZVjNulbO/KBSot66NxLA29dlYJKXjRX3sHmKvMgx8JJ0OcNZXhAONqrtlnCNAP4L2nEDvsLTdvl/ZCnjQ1Ge+f71cBvjGukwh9aov6isoBNBfBivPIxs96EWCCtF6TXYYv6Xy0qr3OVQvXZiHzUKb6csaLUAQkXZynLbD+KzF6b+rXqwkZjitK7LtzSdSuEVAu/JeSbZq7HOhVVqAFeyowHTT8knifH2fI5wMcEY3McqsdFHVR9X9wOlsed631ZafkcuIpOB1Z8=
Bulk/Record Format:
many.be. 3600 IN DS 41710 8 2 37b1d8d42b8f2a3985dcd7aeb8a2e65dd455916f67ab6dc19fcf7b4d9355c4d7

But the test @ http://viewdns.info/dnssec/?domain=many.be shows that everything is fine.

Regards,
Nicolas

Ramentu 2017-05-19 08:48:48 UTC #2

For .be , it is "normal" : there is an incompatibility with all .be domain and DNSSEC, at least as implemented by mailinabox. I have the same warning.
Afaik,
.be use the algorythm 8 / RSASHA256
Mailinabox want/expect 7 - RSASHA1-NSEC3-SHA1

JoshData 2017-05-21 23:58:32 UTC #3

Usually the registrar allows several options. At some point in the past it was probably reported that .be domains only supported RSASHA1-NSEC3-SHA1 so I probably limited it to that. It might need to be changed now.

Ramentu 2017-05-22 06:06:06 UTC #4

More info :

https://www.dnsbelgium.be/sites/default/files/generated/files/documents/Registration_guidelines_v15_2-Part_1-general_6.pdf

• Algorithm: DNS Belgium supports 4 algorithms to generate keys: (8) RSA-SHA256, (10) RSA-SHA512, (13)
ECDSA Curve P-256 with SHA-256 and (14) ECDSA Curve P-384 with SHA-384.

I have no idea why they don't accept the "7" used by almost anyone else. (I have an alldom package for that domain with .com, .net, .org, .eu and a bunch of other, and only .be refuse to use algorithm "7".)
I have absolutely no idea which one is the most secure, to be honest, if any.
The .be domain is just a placeholder, so I don't know if mailinabox status problem translate into a real problem. I am willing to run tests if someone tell me what to do

JoshData 2017-05-23 11:52:19 UTC #5

I think 7 / RSASHA1-NSEC3-SHA1 (I guess) is old and .be has moved past it to newer algorithms.

NicolasJ 2017-05-24 05:21:12 UTC #6

And what about the ipv6 test where 2001:41d0:8:bd48::1 is not equal to 2001:41d0:0008:bd48:0000:0000:0000:0001?

The test works for the first domain but not for the others. Do I have to put each domain on its own ipv6? It's a bit tedious but doable. If it's the case, shouldn't it be documented somewhere?