DNSSEC not working during quickstart

[romner-set]

Running ./mox quickstart -hostname mail.<domain>.<tld> admin@<domain>.<tld> outputs the following warnings:

WARNING: It looks like the DNS resolvers configured on your system do not
verify DNSSEC, or aren't trusted (by having loopback IPs or through "options
trust-ad" in /etc/resolv.conf).  Without DNSSEC, outbound delivery with SMTP
used unprotected MX records, and SMTP STARTTLS connections cannot verify the TLS
certificate with DANE (based on a public key in DNS), and will fallback to
either MTA-STS for verification, or use "opportunistic TLS" with no certificate
verification.

Recommended action: Install unbound, a DNSSEC-verifying recursive DNS resolver,
and enable support for "extended dns errors" (EDE):

cat <<EOF >/etc/unbound/unbound.conf.d/ede.conf
server:
    ede: yes
    val-log-level: 2
EOF

Looking up IPs for hostname mail.<domain>.<tld>...

NOTE: It looks like the DNS records of your domain (zone) are not DNSSEC-signed.
Mail servers that send email to your domain, or receive email from your domain,
cannot verify that the MX/SPF/DKIM/DMARC/MTA-STS records they receive are
authentic. DANE, for authenticated delivery without relying on a pool of
certificate authorities, requires DNSSEC, so will not be configured at this
time.
Recommended action: Continue now, but consider enabling DNSSEC for your domain
later at your DNS operator, and adding DANE records for protecting incoming
messages over SMTP.

even though running delv mail.<domain>.<tld> returns ; fully validated with the correct A and RRSIG records.

I'm using unbound with these settings (https://feeding.cloud.geek.nz/posts/setting-up-your-own-dnssec-aware/, plus the 2 lines suggested by mox):

root@mail ~# ll /etc/unbound/
total 25K    
-rw-r--r--    1 root     root         991 Feb 15 13:13 unbound.conf
-rw-------    1 root     root        2.4K Feb 15 13:10 unbound_control.key
-rw-r-----    1 root     root        1.5K Feb 15 13:10 unbound_control.pem
-rw-------    1 root     root        2.4K Feb 15 13:10 unbound_server.key
-rw-r-----    1 root     root        1.5K Feb 15 13:10 unbound_server.pem
root@mail ~# cat /etc/unbound/unbound.conf
server:
    harden-below-nxdomain: yes
    harden-referral-path: yes
    harden-algo-downgrade: no
    use-caps-for-id: no
    hide-identity: yes
    hide-version: yes
    private-address: 10.0.0.0/8
    private-address: 100.64.0.0/10
    private-address: 127.0.0.0/8
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: fc00::/7
    private-address: fe80::/10
    private-address: ::ffff:0:0/96
    module-config: "validator iterator"
    prefetch: yes
    prefetch-key: yes
    msg-cache-size: 128k
    msg-cache-slabs: 2
    rrset-cache-size: 8m
    rrset-cache-slabs: 2
    key-cache-size: 32m
    key-cache-slabs: 2
    cache-min-ttl: 3600
    num-threads: 2
    interface: 127.0.0.1
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.1/32 allow
    ede: yes
    val-log-level: 2
root@mail ~# ss -tnlp
State      Recv-Q     Send-Q         Local Address:Port           Peer Address:Port     Process                                
LISTEN     0          256                127.0.0.1:53                  0.0.0.0:*         users:(("unbound",pid=2443,fd=6))     
LISTEN     0          256                127.0.0.1:53                  0.0.0.0:*         users:(("unbound",pid=2443,fd=4))
root@mail ~# cat /etc/resolv.conf
nameserver 127.0.0.1

I also tried setting the /etc/resolv.conf nameserver to 1.1.1.1 or 8.8.8.8 to no avail.

Will this cause issues as described in the quickstart warnings, or is it safe to ignore?

[mjl-]

Is there any chance your hostname (mail.<domain>) is in /etc/hosts? That would get preference over querying over DNS, and /etc/hosts is not DNSSEC-protected.

Otherwise, is there anything special in /etc/resolv.conf? If the nameservers are loopback IPs, their DNSSEC status should be trusted. Otherwise the trust-ad option is needed.

Could you try the mox dns loookup command on various domains? Those use the DNS config as mox will do all its resolving. Examples:

$ mox dns lookup mx google.com
mx records (1, without dnssec):
- smtp.google.com., preference 10

$ mox dns lookup mx ueber.net
mx records (1, with dnssec):
- mail.axillis.nl., preference 10

Will this cause issues as described in the quickstart warnings, or is it safe to ignore?

You can continue with the installation. If all resolving really won't appear DNSSEC-verified to mox, then mox won't be able to verify DANE when delivering. That's similar to how most mail servers deliver, but mox wants to do better. (:

So I'm curious to learn why the DNSSEC status isn't seen.

[romner-set]

Is there any chance your hostname (mail.<domain>) is in /etc/hosts? That would get preference over querying over DNS, and /etc/hosts is not DNSSEC-protected.

Nope, /etc/hosts only contains this (I'm running mox in a Proxmox LXC hosted on a Hetzner dedicated server, hence the PVE section – the mail.your-server.de line doesn't have anything to do with E-mail, it's just there since the LXC is named mail):

127.0.0.1	localhost localhost.localdomain
::1		localhost localhost.localdomain
# --- BEGIN PVE ---
10.0.0.103 mail.your-server.de mail
# --- END PVE ---

Otherwise, is there anything special in /etc/resolv.conf? If the nameservers are loopback IPs, their DNSSEC status should be trusted. Otherwise the trust-ad option is needed.

This is the entire /etc/resolv.conf file:

nameserver 127.0.0.1

Could you try the mox dns loookup command on various domains? Those use the DNS config as mox will do all its resolving. Examples:

$ mox dns lookup mx google.com
mx records (1, without dnssec):
- smtp.google.com., preference 10

$ mox dns lookup mx ueber.net
mx records (1, with dnssec):
- mail.axillis.nl., preference 10

root@mail /data# ./mox dns lookup mx google.com
mx records (1, without dnssec):
- smtp.google.com., preference 10
root@mail /data# ./mox dns lookup mx ueber.net
mx records (1, without dnssec):
- mail.axillis.nl., preference 10
root@mail /data# ./mox dns lookup mx dnssec.cz
mx records (2, without dnssec):
- mail.nic.cz., preference 10
- mx.nic.cz., preference 15
root@mail /data# ./mox dns lookup mx <domain>
mx records (1, without dnssec):
- mail.<domain>., preference 10

[mjl-]

Interesting. What does dig dnssec.cz mx output? For me the following. Important that it says SERVER: 127.0.0.1#53(127.0.0.1) and ad (authentic data) in flags: qr rd ra ad:

$ dig dnssec.cz mx

; <<>> DiG 9.19.19-1-Debian <<>> dnssec.cz mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42924
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz.                     IN      MX

;; ANSWER SECTION:
dnssec.cz.              1793    IN      MX      10 mail.nic.cz.
dnssec.cz.              1793    IN      MX      15 mx.nic.cz.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 15:28:49 CET 2024
;; MSG SIZE  rcvd: 82

[romner-set]

root@mail /data# dig dnssec.cz mx

; <<>> DiG 9.18.24 <<>> dnssec.cz mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46093
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz.			IN	MX

;; ANSWER SECTION:
dnssec.cz.		3600	IN	MX	15 mx.nic.cz.
dnssec.cz.		3600	IN	MX	10 mail.nic.cz.

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 14:32:43 UTC 2024
;; MSG SIZE  rcvd: 82

No ad it seems, any idea what could be causing this?

[mjl-]

We'll probably have to dive into unbound logging.

Could you also try dig with the +qr flag? It prints the request. For me that includes ad (request validation), perhaps it is off for your dig.

$ dig mx dnssec.cz +qr

; <<>> DiG 9.19.19-1-Debian <<>> mx dnssec.cz +qr
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5578
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 59a7d2969fd9e0d3
;; QUESTION SECTION:
;dnssec.cz.                     IN      MX

;; QUERY SIZE: 50

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5578
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz.                     IN      MX

;; ANSWER SECTION:
dnssec.cz.              1235    IN      MX      10 mail.nic.cz.
dnssec.cz.              1235    IN      MX      15 mx.nic.cz.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 15:38:07 CET 2024
;; MSG SIZE  rcvd: 82

Without requesting ad:

$ dig mx dnssec.cz +qr +noad

; <<>> DiG 9.19.19-1-Debian <<>> mx dnssec.cz +qr +noad
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37781
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 2f3701e91b4b0f31
;; QUESTION SECTION:
;dnssec.cz.                     IN      MX

;; QUERY SIZE: 50

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37781
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz.                     IN      MX

;; ANSWER SECTION:
dnssec.cz.              1220    IN      MX      10 mail.nic.cz.
dnssec.cz.              1220    IN      MX      15 mx.nic.cz.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 15:38:22 CET 2024
;; MSG SIZE  rcvd: 82

I think a next step would be increasing the unbound debug log level, and checking what it is saying. I think you can increase the level several times, up to a lot of detail. Hopefully it will give a hint.

[romner-set]

root@mail /data# dig dnssec.cz mx +qr

; <<>> DiG 9.18.24 <<>> dnssec.cz mx +qr
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31157
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 71346dfa9c104f56
;; QUESTION SECTION:
;dnssec.cz.			IN	MX

;; QUERY SIZE: 50

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31157
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz.			IN	MX

;; ANSWER SECTION:
dnssec.cz.		3600	IN	MX	10 mail.nic.cz.
dnssec.cz.		3600	IN	MX	15 mx.nic.cz.

;; Query time: 92 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 14:43:02 UTC 2024
;; MSG SIZE  rcvd: 82

With val-log-level: 5, use-syslog: no and log-queries: yes in the unbound config:

root@mail /data# unbound -d -vvvvv # startup/shutdown only
[1708008705] unbound[4908:0] notice: Start of unbound 1.19.1.
[1708008705] unbound[4908:0] debug: increased limit(open files) from 1024 to 8266
[1708008705] unbound[4908:0] debug: creating udp4 socket 127.0.0.1 53
[1708008705] unbound[4908:0] debug: creating tcp4 socket 127.0.0.1 53
[1708008705] unbound[4908:0] debug: creating udp4 socket 127.0.0.1 53
[1708008705] unbound[4908:0] debug: creating tcp4 socket 127.0.0.1 53
[1708008705] unbound[4908:0] debug: drop user privileges, run as unbound
[1708008705] unbound[4908:0] debug: switching log to stderr
[1708008705] unbound[4908:0] debug: module config: "validator iterator"
[1708008705] unbound[4908:0] notice: init module 0: validator
[1708008705] unbound[4908:0] debug: validator nsec3cfg keysz 1024 mxiter 150
[1708008705] unbound[4908:0] debug: validator nsec3cfg keysz 2048 mxiter 150
[1708008705] unbound[4908:0] debug: validator nsec3cfg keysz 4096 mxiter 150
[1708008705] unbound[4908:0] notice: init module 1: iterator
[1708008705] unbound[4908:0] debug: target fetch policy for level 0 is 3
[1708008705] unbound[4908:0] debug: target fetch policy for level 1 is 2
[1708008705] unbound[4908:0] debug: target fetch policy for level 2 is 1
[1708008705] unbound[4908:0] debug: target fetch policy for level 3 is 0
[1708008705] unbound[4908:0] debug: target fetch policy for level 4 is 0
[1708008705] unbound[4908:0] debug: donotq: 127.0.0.0/8
[1708008705] unbound[4908:0] debug: donotq: ::1
[1708008705] unbound[4908:0] debug: total of 59446 outgoing ports available
[1708008705] unbound[4908:0] debug: start threads
[1708008705] unbound[4908:0] debug: Thread stack size set to 2097152
[1708008705] unbound[4908:0] debug: libevent 2.1.12-stable uses epoll method.
[1708008705] unbound[4908:1] debug: libevent 2.1.12-stable uses epoll method.
[1708008705] unbound[4908:1] debug: no config, using builtin root hints.
[1708008705] unbound[4908:1] debug: cache memory msg=33064 rrset=33064 infra=7904 val=33344
[1708008705] unbound[4908:0] debug: no config, using builtin root hints.
[1708008705] unbound[4908:0] debug: cache memory msg=33064 rrset=33064 infra=7904 val=33344
[1708008705] unbound[4908:0] info: start of service (unbound 1.19.1).
<Ctrl-C>
[1708008815] unbound[4908:0] info: service stopped (unbound 1.19.1).
[1708008815] unbound[4908:0] debug: stop threads
[1708008815] unbound[4908:0] debug: join 1
[1708008815] unbound[4908:1] debug: got control cmd quit
[1708008815] unbound[4908:0] debug: join success 1
[1708008815] unbound[4908:0] debug: cleanup.
[1708008815] unbound[4908:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1708008815] unbound[4908:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
[1708008815] unbound[4908:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1708008815] unbound[4908:0] debug: cache memory msg=33064 rrset=33064 infra=7904 val=33344
[1708008815] unbound[4908:0] debug: comm_point_close of 3: event_del
[1708008815] unbound[4908:0] debug: comm_point_close of 4: event_del
[1708008815] unbound[4908:0] debug: comm_point_close of 7: event_del
[1708008815] unbound[4908:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1708008815] unbound[4908:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
[1708008815] unbound[4908:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1708008815] unbound[4908:0] debug: cache memory msg=33064 rrset=33064 infra=7904 val=33344
[1708008815] unbound[4908:0] debug: comm_point_close of 5: event_del
[1708008815] unbound[4908:0] debug: comm_point_close of 6: event_del
[1708008815] unbound[4908:0] debug: comm_point_close of 9: event_del
[1708008815] unbound[4908:0] debug: Exit cleanup.
[1708008815] unbound[4908:0] debug: switching log to stderr

root@mail /data# unbound -d -v # dns query
<...logs before query>
[1708008568] unbound[4873:1] info: 127.0.0.1 dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: resolving dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: response for dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: reply from <.> 192.5.5.241#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving cz. DNSKEY IN
[1708008568] unbound[4873:1] info: resolving cz. NS IN
[1708008568] unbound[4873:1] info: response for dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving sld3.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving dnssec.cz. DNSKEY IN
[1708008568] unbound[4873:1] info: resolving sld3.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving sld1.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving dnssec.cz. NS IN
[1708008568] unbound[4873:1] info: resolving sld1.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: response for cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <.> 192.5.5.241#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:500:1::53#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <.> 198.97.190.53#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for cz. NS IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:7fe::53#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving b.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving c.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving c.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving d.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving b.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving a.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: response for cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <.> 192.33.4.12#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <.> 199.7.91.13#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for dnssec.cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:7fd::1#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for dnssec.cz. NS IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:500:a8::e#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving cz. DNSKEY IN
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.12.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.13.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.13.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.13.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for dnssec.cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for dnssec.cz. NS IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.12.1#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for cz. NS IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:500:9f::42#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving cz. NS IN
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:500:9f::42#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving cz. NS IN
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.12.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: reply from <dnssec.cz.> 217.31.207.99#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.12.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for dnssec.cz. NS IN
[1708008568] unbound[4873:1] info: reply from <dnssec.cz.> 217.31.207.99#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for dnssec.cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <dnssec.cz.> 217.31.207.99#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
<Ctrl-C>
<...shutdown logs>

[romner-set]

I also tried putting nameserver 1.1.1.1 in /etc/resolv.conf, which fixed the ad flag in the dig query, but didn't fix mox's DNSSEC:

root@mail /data# ./mox dns lookup mx dnssec.cz
mx records (2, without dnssec):
- mail.nic.cz., preference 10
- mx.nic.cz., preference 15
root@mail /data# dig dnssec.cz mx

; <<>> DiG 9.18.24 <<>> dnssec.cz mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3896
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz.			IN	MX

;; ANSWER SECTION:
dnssec.cz.		1800	IN	MX	10 mail.nic.cz.
dnssec.cz.		1800	IN	MX	15 mx.nic.cz.

;; Query time: 64 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Feb 15 14:57:50 UTC 2024
;; MSG SIZE  rcvd: 82

[mjl-]

tried putting nameserver 1.1.1.1 in /etc/resolv.conf, which fixed the ad flag in the dig query, but didn't fix mox's DNSSEC:

If you add options edns0 trust-ad on a separate line to /etc/resolv.conf, that should make it work for mox as well.

But the problem lies with unbound. Do you have the root trust anchor file? There should be a config option auto-trust-anchor-file with a value that could look like /var/lib/unbound/root.key. It can be fetched/updated with the tool unbound-anchor.

[romner-set]

tried putting nameserver 1.1.1.1 in /etc/resolv.conf, which fixed the ad flag in the dig query, but didn't fix mox's DNSSEC:

If you add options edns0 trust-ad on a separate line to /etc/resolv.conf, that should make it work for mox as well.

But the problem lies with unbound. Do you have the root trust anchor file? There should be a config option auto-trust-anchor-file with a value that could look like /var/lib/unbound/root.key. It can be fetched/updated with the tool unbound-anchor.

Yeah, that was it – I didn't setup the trust anchor. First time setting up unbound for DNSSEC so I had no idea that was necessary and none of the tutorials I found made it clear, thanks so much for the help!