I have exactly same problem as reported by @mveplus in the post
I have error msg. in Admin panel - System Status Checks
domain3.tld - The nameservers set on this domain are incorrect. They are currently [Not Set]. Use your domain name registrar’s control panel to set the nameservers to ns1.domain.tld; ns2.box.domain.tld. - This domain’s DNS MX record is not set. It should be ‘10 box.domain.tld’. Mail will not be delivered to this box. It may take several hours for public DNS to update after a change. This problem may result from other issues listed here. - This domain should resolve to your box’s IP address (A 123.1.123.1) if you would like the box to serve webmail or a website on this domain. The domain currently resolves to [Not Set] in public DNS. It may take several hours for public DNS to update after a change. This problem may result from other issues listed here.
www.domain3.tld This domain should resolve to your box’s IP address (A 123.1.123.1) if you would like the box to serve webmail or a website on this domain. The domain currently resolves to [Not Set] in public DNS. It may take several hours for public DNS to update after a change. This problem may result from other issues listed here.
Complete reinstall
curl -s https://mailinabox.email/setup.sh | sudo bash
did not help either, still same error msgs in Admin and syslog:
box named[968]: validating @0x7f9afc0008c0: domain3.tld DNSKEY: verify failed due to bad signature (keyid=41334): RRSIG has expired
box named[968]: validating @0x7f9afc0008c0: domain3.tld DNSKEY: no valid signature found (DS)
box named[968]: error (no valid RRSIG) resolving ‘domain3.tld/DNSKEY/IN’: 123.1.123.1#53
box named[968]: validating @0x7f9b10012900: domain3.tld DNSKEY: verify failed due to bad signature (keyid=41334): RRSIG has expired
Primary Hostname: box.domain.tld
Public IP Address: 123.1.123.1
Public IPv6 Address: 2a01:…
Mail-in-a-Box Version: v0.26c
Updating system packages…
Installing system packages…
Initializing system random number generator…
Firewall is active and enabled on system startup
Installing nsd (DNS server)…
Installing Postfix (SMTP server)…
Installing Dovecot (IMAP server)…
Installing OpenDKIM/OpenDMARC…
Installing SpamAssassin…
bayes: synced databases from journal in 0 seconds: 1105 unique entries (3080 total entries)
Installing Nginx (web server)…
Installing Roundcube (webmail)…
Installing Nextcloud (contacts/calendar)…
Nextcloud is already latest version
Installing Z-Push (Exchange/ActiveSync server)…
Installing Mail-in-a-Box system management daemon…
Installing Munin (system monitoring)…
updated DNS: OpenDKIM configuration
No domains hosted on this box need a new TLS certificate at this time.
If this the only relevant NS error, you could find in your logs…
It’s DNSSEC keys mismatch for this domain, for some reason, they are not updated. Check files and folders permissions too.
I would pull mailinabox v0.26c again from GitHub and reinstall and reboot. If this does not solve it - then you’ll have to check manually - credit StackExchange
On your box do:
Obtain root keys. You can do this with dig on an unpoisoned machine: user@box:~$ dig . DNSKEY | grep -Ev '^($|;)' > root.keys
Verify your target dns record: user@box:~$ dig +sigchase +trusted-key=./root.keys yourproblemdomain.tld. A | cat -n
Expected results should be:
109 ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
If not you’ll have to dig why this domain does not update it’s key and update it manually or look the dates when they were last updated - all top domains should have the same dates:
#ls -lah /etc/nsd/zones/domains.txt.singed
PS You should restart nsd and bind too after any changes.
root@box:~# dig +sigchase +trusted-key=./root.keys www.domain3.tld. A | cat -n
1 ;; NO ANSWERS: no more
2 We want to prove the non-existence of a type of rdata 1 or of the zone:
3 ;; nothing in authority section : impossible to validate the non-existence : FAILED
4
5 ;; Impossible to verify the Non-existence, the NSEC RRset can’t be validated: FAILED
Thank you for pointing me to: ls -lah /etc/nsd/zones/*
I have 3 files:
-rw-r–r-- 1 root root 4116 Mar 23 08:57 domain3.tld.txt
-rw-r–r-- 1 root root 164 Mar 23 08:57 domain3.tld.ds
-rw-r–r-- 1 root root 54657 Mar 23 08:57 domain3.tld.signed
Just a thought, can I delete those 3 files or just the (domain3.tld.signed) for the offending domain and hope that MIAB will offer to recreate the DNSSEC details again?
I am curious why it did happened to to this domain?
The reason I am interested is that on this particular domain I have a loot of devices configured to use subdomains of this particular domain and they have now been all knocked off the internet …
And there is this error, so am I safe to remove the file “domain3.tld.txt.signed”
box nsd[24731]: zone domain3.tld file domain3.tld.txt.signed read with 4 errors
And hope the box will recreate DNSSEC records again?
Error has vanished while I have switched to DNS servers of my registrar and back to NS1/NS2 of my box and recreated new KEYSET in my domain registrar settings page.
In my case, I did not have to update manually, but if everything else is failing for you will have to update manually.
But I’d look why it’s happening before I start doing manual mods, make sure you have working backups if this is in production.
I first tried completely delete the offending domain.name, but that did not help, so went to “Set custom DNS records” section I was hoping all custom DNS record will be gone, but they ware still there, so deleted all of them and suddenly all working again … when added the domain name again, including DNSSEC
and I have the same error msg. in Admin panel - System Status Checks for that domain …