-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNSSEC not working during quickstart #131
Comments
Is there any chance your hostname ( Otherwise, is there anything special in /etc/resolv.conf? If the nameservers are loopback IPs, their DNSSEC status should be trusted. Otherwise the trust-ad option is needed. Could you try the
You can continue with the installation. If all resolving really won't appear DNSSEC-verified to mox, then mox won't be able to verify DANE when delivering. That's similar to how most mail servers deliver, but mox wants to do better. (: So I'm curious to learn why the DNSSEC status isn't seen. |
Nope, /etc/hosts only contains this (I'm running mox in a Proxmox LXC hosted on a Hetzner dedicated server, hence the PVE section – the mail.your-server.de line doesn't have anything to do with E-mail, it's just there since the LXC is named
This is the entire /etc/resolv.conf file:
|
Interesting. What does
|
No |
We'll probably have to dive into unbound logging. Could you also try dig with the
Without requesting
I think a next step would be increasing the unbound debug log level, and checking what it is saying. I think you can increase the level several times, up to a lot of detail. Hopefully it will give a hint. |
With
|
I also tried putting
|
If you add But the problem lies with unbound. Do you have the root trust anchor file? There should be a config option |
Yeah, that was it – I didn't setup the trust anchor. First time setting up unbound for DNSSEC so I had no idea that was necessary and none of the tutorials I found made it clear, thanks so much for the help! |
by mentioning the dnssec root keys, mentioning which unbound version has EDE, giving a "dig" invocation to check for dnssec results. based on issue #131 by romner-set, thanks for reporting
Running
./mox quickstart -hostname mail.<domain>.<tld> admin@<domain>.<tld>
outputs the following warnings:even though running
delv mail.<domain>.<tld>
returns; fully validated
with the correct A and RRSIG records.I'm using unbound with these settings (https://feeding.cloud.geek.nz/posts/setting-up-your-own-dnssec-aware/, plus the 2 lines suggested by mox):
I also tried setting the
/etc/resolv.conf
nameserver to1.1.1.1
or8.8.8.8
to no avail.Will this cause issues as described in the quickstart warnings, or is it safe to ignore?
The text was updated successfully, but these errors were encountered: