search

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
13.83k stars 1.42k forks source link

DNS Update in v0.40 breaks on CAA records. #1507

Open Faeranne opened 5 years ago

Faeranne commented 5 years ago

Looks like it stems from ldns-signzone breaking when trying to parse CAA records. The solution right now is to correct the records in /etc/nsd/zones/ and run ldns-signzone manually, then deleting the records from the Custom DNS interface, and finally, running dns_update manually. correcting the zone entries has to be done first, as the dns api errors out until that is fixed, and won't allow you to remove existing records.

Error when running ldns-signzone: Zone not read, error: Syntax error, could not parse the RR's rdata at /etc/nsd/zones/projectmakeit.com.txt line 16 which read IN CAA 0 iodef "mailto:admin@projectmakeit.com"

~After following the update procedures to move from v0.30 to v0.40 and from ubuntu 14.04 to 18.04 on DigitalOcean, everything has gone smoothly, except the dns server is still issuing an incorrect DANE TLSA record. I've checked the dns directly using dig @ns1.box.projectmakeit.com ANY _25._tcp.box.projectmakeit.com and still see the old entry. The current message on the status page is The DANE TLSA record for incoming mail (_25._tcp.box.projectmakeit.com) is not correct. It is '3 1 1 7b421ccedc12fcfb1706813555867dc400d29ccdc95f56cb2a321daef03d5126' but it should be '3 1 1 de108a11b619aa4ecef4e6dc264de4dcbc80d636a64ac32d0af31b744253799d'. It may take several hours for public DNS to update after a change.~

~Since these are automatically generated, I can't see how to force it to be updated.~

~dig output:~

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> @ns1.box.projectmakeit.com ANY _25._tcp.box.projectmakeit.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21458
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_25._tcp.box.projectmakeit.com.        IN      ANY

;; ANSWER SECTION:
_25._tcp.box.projectmakeit.com. 1800 IN TLSA    3 1 1 7B421CCEDC12FCFB1706813555867DC400D29CCDC95F56CB2A321DAE F03D5126
_25._tcp.box.projectmakeit.com. 1800 IN RRSIG   TLSA 7 5 1800 20190215000000 20190117014412 22049 projectmakeit.com. Z+EVU0imN+T5Pe+w5Ia0hXMo6dzHTPsdYLqKAtITySuXoU+Ui0w2g44x ZArrb/jC3+dhkEybevpqqlXdp5LWWQAIQF/+phfK1Jr5MKHUgdMpEFgf uZRO57Vt9oVW1HeBIZp3FB7g4WCYE9+mx23q2YjoMwh5zG0NQDpno7LJ P4g=

;; AUTHORITY SECTION:
projectmakeit.com.      1800    IN      NS      ns1.box.projectmakeit.com.
projectmakeit.com.      1800    IN      NS      ns2.box.projectmakeit.com.

;; ADDITIONAL SECTION:
ns1.box.projectmakeit.com. 1800 IN      A       198.199.118.101
ns2.box.projectmakeit.com. 1800 IN      A       198.199.118.101

;; Query time: 64 msec
;; SERVER: 198.199.118.101#53(198.199.118.101)
;; WHEN: Thu Jan 17 12:53:31 CST 2019
;; MSG SIZE  rcvd: 351
jvolkenant commented 5 years ago

Did you start with a fresh 18.04, or did you upgrade from 14.04? Your striked through text says the server is still issuing incorrect DANE TLSA, was it working in 14.04? I feel like mine is working; what is a good way to test this? (the online TLSA validators say things are fine for my domain)

Faeranne commented 5 years ago

Fresh install. It worked fine in 14.04. I haven't tried re-adding the CAA records to see if the issue comes back, but I will this evening..

Faeranne commented 5 years ago

Re-adding didn't result in any new issues, so it appears to only affect restores from 0.3 to 0.4

jvolkenant commented 5 years ago

Not sure if there is some confusion going on, I tested my domain at https://www.ssllabs.com/ssltest and it did not find a CAA record. Above you show dig output for DANE. Are you entering your own CAA record? I'm not sure that MIAB is auto generating one.

Faeranne commented 5 years ago

Ya, sorry, the dig output was for the original issue. Apparently you can't strike through blocks of text (or at least I haven't figured out how), so there is a bit of confusion there. The CAA record is manually added via the custom dns page.

jvolkenant commented 5 years ago

I just added a CAA record without error.

I went to custom dns and added type CAA and filled this in the field: 0 issue "letsencrypt.org"

save was fine, tools/dns_update was fine, management/dns_update.py reports entry as fine and the check at https://caatest.co.uk/ report things are good.

We'll see in a month if my certs renew properly.

Faeranne commented 5 years ago

The bug only seems to affect imported boxes from v3.0 backups. Adding new records seems to work just fine.

Faeranne commented 5 years ago

I have managed to replicate the error when importing. Turns out if the issuer address isn't quoted, it works fine until you add a second CAA entry to the same domain. I've included both working and broken examples of the dns/custom.yaml file:

Works in both 3.0 and 4.0:

projectmakeit.com:
  CAA:
  - 0 issue "letsencrypt.org"
  - 0 iodef "mailto:admin@projectmakeit.com"

Works in 3.0 but not in 4.0

projectmakeit.com:
  CAA:
  - 0 issue letsencrypt.org
  - 0 iodef "mailto:admin@projectmakeit.com"