MIAB reporting The nameservers set on this domain are incorrect. They are currently [Not Set]

Help! I have a crisis situation with a substantial client! According to MAIB status checks, I’m showing this status message:

:heavy_multiplication_x: The nameservers set on this domain are incorrect. They are currently [Not Set]. Use your domain name registrar’s control panel to set the nameservers to ns1.emmons.uniquelyyoursmail.com; ns31.cloudns.net; ns32.cloudns.net; ns33.cloudns.net; ns34.cloudns.net; pns31.cloudns.net; pns32.cloudns.net; pns33.cloudns.net; pns34.cloudns.net.

However, at the Registrar (NetEarthOne), the Name Servers show:

Name Servers ns1.emmons.uniquelyyoursmail.com ns31.cloudns.net ns32.cloudns.net ns33.cloudns.net ns34.cloudns.net pns31.cloudns.net pns32.cloudns.net pns33.cloudns.net pns34.cloudns.net

Whatsmydns.net and dnschecker.org are showing multiple failures and the clients users are reporting being unable to access the site. Any suggestions to help me troubleshoot this would be GREATLY appreciated!!!

Please turn off DNSSEC DS record at the registrar before making any changes. Check after propagation if everything is OK and then turn it on again.

I had this same issue and this fixed it for a domain registered at GoDaddy.

To add a follow up question, will having DNSSEC turned off affect deliverability of mail for that domain? What are the ramifications of not having a DS record set for the domain.

Thanks and apologies for adding a question onto this question.

DNSSEC was invented a long time ago as a way to ensure DNS queries were not answered with forged information, e.g. a man-in-the-middle attack. So for example your local ISP couldn’t redirect your domain name to a different server. But it only works if the whole chain from client to server all support it (your laptop, your ISP, any intermediate DNS servers, and your Mail-in-a-Box), and DNSSEC has had very low adoption since it was invented. Almost no one is using it client-side. So, in general, it does nothing. It may be worthwhile in special circumstances, but it probably provides little overall security. Leaders in security generally recommend other methods like “DNS over HTTP”.

Adding it to Mail-in-a-Box was probably a mistake. It was a bet that we’d have the latest mail features implemented that didn’t pan out.

1 Like

@JoshData Thanks for that information. I will probably deactivate DNSSEC for all the clients currently on my mail server over time.

I know DANE (which depends on DNSSEC) doesn’t have much traction, but would this help? Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online - Microsoft Community Hub
I think gmail doesn’t support DANE, but maybe this will help improving things?

Well that’s a surprise. Maybe we were adhead of the game after all!

1 Like

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.