search

ddavness / power-mailinabox

A Mail-in-a-Box with extra capabilities and more customizability. Not just for power users!
Creative Commons Zero v1.0 Universal
168 stars 31 forks source link

Shouldn't pmiab set the DNSSEC (DS) record when it acts as the primary DNS zone server? #91

Closed lifeboy closed 1 year ago

lifeboy commented 1 year ago

As it is, I have change the domain's NS records at the registrar to point to pmiab and have a secondary set as well. When I got the registrar's control panel, there are no DNS records to set, since this is delegated to pmiab.

What am I missing here please?

thehappyitguy commented 1 year ago

Google domains here. I use glue records and normal NS in the DNS records. Worked fine. Maybe a few more details to get you the help you need.

On Thu, Nov 3, 2022 at 4:11 AM Roland Giesler @.***> wrote:

As it is, I have change the domain's NS records at the registrar to point to pmiab and have a secondary set as well. When I got the registrar's control panel, there are no DNS records to set, since this is delegated to pmiab.

What am I missing here please?

— Reply to this email directly, view it on GitHub https://github.com/ddavness/power-mailinabox/issues/91, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWFIEDOSEVVOC7X5YDHGNFTWGNXUBANCNFSM6AAAAAARV3VKH4 . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- -- -- -- -- -- -- -- -- -- -- @.** btc:31mZ7j9BgQYfe9oANjxsu6kMZEQn1Z6PsM -- -- -- -- -- -- -- -- -- --*

lifeboy commented 1 year ago

Google domains here. I use glue records and normal NS in the DNS records. Worked fine. Maybe a few more details to get you the help you need.

This has little if anything to do with NS glue records, so I'm not sure I understand your response. To add DNSSEC I need to add these records somewhere. That somewhere should be where the zone file is, which is the pmiab machine, not the registrar. Unless this is not so, the message on the status page of pmiab doesn't make sense.

ddavness commented 1 year ago

The DS records (Delegation Signature record) are added to the server that does the delegation. The server doing the delegation to the server is the registry. Because of that, the DS record needs to be added to the registry (usually done via the registrar). It works exactly the same way with MiaB.

If the DS record was published on it's own zone, it would be basically like issuing a self-signed certificate.

The process is different from registrar to registrar. On Namecheap you'd need to go to the Advanced DNS section, enable DNSSEC, then add the record there:

7

lifeboy commented 1 year ago

Ah, that makes sense. I'll have to engage the registrar then.

Thanks for the clarification.

On Fri, 4 Nov 2022 at 00:00, David Duque @.***> wrote:

The DS records (Delegation Signature record) are added to the server that does the delegation. The server doing the delegation to the server is the registry. Because of that, the DS record needs to be added to the registry. It works exactly the same way with MiaB.

If the DS record was published on it's own zone, it would be basically like issuing a self-signed certificate.

— Reply to this email directly, view it on GitHub https://github.com/ddavness/power-mailinabox/issues/91#issuecomment-1302722968, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEZPJ744BRWM5TKQ5DURQ3WGQYW3ANCNFSM6AAAAAARV3VKH4 . You are receiving this because you authored the thread.Message ID: @.***>