Closed romner-set closed 9 months ago
Is there any chance your hostname (mail.<domain>
) is in /etc/hosts? That would get preference over querying over DNS, and /etc/hosts is not DNSSEC-protected.
Otherwise, is there anything special in /etc/resolv.conf? If the nameservers are loopback IPs, their DNSSEC status should be trusted. Otherwise the trust-ad option is needed.
Could you try the mox dns loookup
command on various domains? Those use the DNS config as mox will do all its resolving. Examples:
$ mox dns lookup mx google.com
mx records (1, without dnssec):
- smtp.google.com., preference 10
$ mox dns lookup mx ueber.net
mx records (1, with dnssec):
- mail.axillis.nl., preference 10
Will this cause issues as described in the quickstart warnings, or is it safe to ignore?
You can continue with the installation. If all resolving really won't appear DNSSEC-verified to mox, then mox won't be able to verify DANE when delivering. That's similar to how most mail servers deliver, but mox wants to do better. (:
So I'm curious to learn why the DNSSEC status isn't seen.
Is there any chance your hostname (
mail.<domain>
) is in /etc/hosts? That would get preference over querying over DNS, and /etc/hosts is not DNSSEC-protected.
Nope, /etc/hosts only contains this (I'm running mox in a Proxmox LXC hosted on a Hetzner dedicated server, hence the PVE section – the mail.your-server.de line doesn't have anything to do with E-mail, it's just there since the LXC is named mail
):
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain
# --- BEGIN PVE ---
10.0.0.103 mail.your-server.de mail
# --- END PVE ---
Otherwise, is there anything special in /etc/resolv.conf? If the nameservers are loopback IPs, their DNSSEC status should be trusted. Otherwise the trust-ad option is needed.
This is the entire /etc/resolv.conf file:
nameserver 127.0.0.1
Could you try the
mox dns loookup
command on various domains? Those use the DNS config as mox will do all its resolving. Examples:$ mox dns lookup mx google.com mx records (1, without dnssec): - smtp.google.com., preference 10 $ mox dns lookup mx ueber.net mx records (1, with dnssec): - mail.axillis.nl., preference 10
root@mail /data# ./mox dns lookup mx google.com
mx records (1, without dnssec):
- smtp.google.com., preference 10
root@mail /data# ./mox dns lookup mx ueber.net
mx records (1, without dnssec):
- mail.axillis.nl., preference 10
root@mail /data# ./mox dns lookup mx dnssec.cz
mx records (2, without dnssec):
- mail.nic.cz., preference 10
- mx.nic.cz., preference 15
root@mail /data# ./mox dns lookup mx <domain>
mx records (1, without dnssec):
- mail.<domain>., preference 10
Interesting. What does dig dnssec.cz mx
output? For me the following. Important that it says SERVER: 127.0.0.1#53(127.0.0.1)
and ad
(authentic data) in flags: qr rd ra ad
:
$ dig dnssec.cz mx
; <<>> DiG 9.19.19-1-Debian <<>> dnssec.cz mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42924
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz. IN MX
;; ANSWER SECTION:
dnssec.cz. 1793 IN MX 10 mail.nic.cz.
dnssec.cz. 1793 IN MX 15 mx.nic.cz.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 15:28:49 CET 2024
;; MSG SIZE rcvd: 82
root@mail /data# dig dnssec.cz mx
; <<>> DiG 9.18.24 <<>> dnssec.cz mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46093
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz. IN MX
;; ANSWER SECTION:
dnssec.cz. 3600 IN MX 15 mx.nic.cz.
dnssec.cz. 3600 IN MX 10 mail.nic.cz.
;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 14:32:43 UTC 2024
;; MSG SIZE rcvd: 82
No ad
it seems, any idea what could be causing this?
We'll probably have to dive into unbound logging.
Could you also try dig with the +qr
flag? It prints the request. For me that includes ad
(request validation), perhaps it is off for your dig.
$ dig mx dnssec.cz +qr
; <<>> DiG 9.19.19-1-Debian <<>> mx dnssec.cz +qr
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5578
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 59a7d2969fd9e0d3
;; QUESTION SECTION:
;dnssec.cz. IN MX
;; QUERY SIZE: 50
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5578
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz. IN MX
;; ANSWER SECTION:
dnssec.cz. 1235 IN MX 10 mail.nic.cz.
dnssec.cz. 1235 IN MX 15 mx.nic.cz.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 15:38:07 CET 2024
;; MSG SIZE rcvd: 82
Without requesting ad
:
$ dig mx dnssec.cz +qr +noad
; <<>> DiG 9.19.19-1-Debian <<>> mx dnssec.cz +qr +noad
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37781
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 2f3701e91b4b0f31
;; QUESTION SECTION:
;dnssec.cz. IN MX
;; QUERY SIZE: 50
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37781
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz. IN MX
;; ANSWER SECTION:
dnssec.cz. 1220 IN MX 10 mail.nic.cz.
dnssec.cz. 1220 IN MX 15 mx.nic.cz.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 15:38:22 CET 2024
;; MSG SIZE rcvd: 82
I think a next step would be increasing the unbound debug log level, and checking what it is saying. I think you can increase the level several times, up to a lot of detail. Hopefully it will give a hint.
root@mail /data# dig dnssec.cz mx +qr
; <<>> DiG 9.18.24 <<>> dnssec.cz mx +qr
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31157
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 71346dfa9c104f56
;; QUESTION SECTION:
;dnssec.cz. IN MX
;; QUERY SIZE: 50
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31157
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz. IN MX
;; ANSWER SECTION:
dnssec.cz. 3600 IN MX 10 mail.nic.cz.
dnssec.cz. 3600 IN MX 15 mx.nic.cz.
;; Query time: 92 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Feb 15 14:43:02 UTC 2024
;; MSG SIZE rcvd: 82
With val-log-level: 5
, use-syslog: no
and log-queries: yes
in the unbound config:
root@mail /data# unbound -d -vvvvv # startup/shutdown only
[1708008705] unbound[4908:0] notice: Start of unbound 1.19.1.
[1708008705] unbound[4908:0] debug: increased limit(open files) from 1024 to 8266
[1708008705] unbound[4908:0] debug: creating udp4 socket 127.0.0.1 53
[1708008705] unbound[4908:0] debug: creating tcp4 socket 127.0.0.1 53
[1708008705] unbound[4908:0] debug: creating udp4 socket 127.0.0.1 53
[1708008705] unbound[4908:0] debug: creating tcp4 socket 127.0.0.1 53
[1708008705] unbound[4908:0] debug: drop user privileges, run as unbound
[1708008705] unbound[4908:0] debug: switching log to stderr
[1708008705] unbound[4908:0] debug: module config: "validator iterator"
[1708008705] unbound[4908:0] notice: init module 0: validator
[1708008705] unbound[4908:0] debug: validator nsec3cfg keysz 1024 mxiter 150
[1708008705] unbound[4908:0] debug: validator nsec3cfg keysz 2048 mxiter 150
[1708008705] unbound[4908:0] debug: validator nsec3cfg keysz 4096 mxiter 150
[1708008705] unbound[4908:0] notice: init module 1: iterator
[1708008705] unbound[4908:0] debug: target fetch policy for level 0 is 3
[1708008705] unbound[4908:0] debug: target fetch policy for level 1 is 2
[1708008705] unbound[4908:0] debug: target fetch policy for level 2 is 1
[1708008705] unbound[4908:0] debug: target fetch policy for level 3 is 0
[1708008705] unbound[4908:0] debug: target fetch policy for level 4 is 0
[1708008705] unbound[4908:0] debug: donotq: 127.0.0.0/8
[1708008705] unbound[4908:0] debug: donotq: ::1
[1708008705] unbound[4908:0] debug: total of 59446 outgoing ports available
[1708008705] unbound[4908:0] debug: start threads
[1708008705] unbound[4908:0] debug: Thread stack size set to 2097152
[1708008705] unbound[4908:0] debug: libevent 2.1.12-stable uses epoll method.
[1708008705] unbound[4908:1] debug: libevent 2.1.12-stable uses epoll method.
[1708008705] unbound[4908:1] debug: no config, using builtin root hints.
[1708008705] unbound[4908:1] debug: cache memory msg=33064 rrset=33064 infra=7904 val=33344
[1708008705] unbound[4908:0] debug: no config, using builtin root hints.
[1708008705] unbound[4908:0] debug: cache memory msg=33064 rrset=33064 infra=7904 val=33344
[1708008705] unbound[4908:0] info: start of service (unbound 1.19.1).
<Ctrl-C>
[1708008815] unbound[4908:0] info: service stopped (unbound 1.19.1).
[1708008815] unbound[4908:0] debug: stop threads
[1708008815] unbound[4908:0] debug: join 1
[1708008815] unbound[4908:1] debug: got control cmd quit
[1708008815] unbound[4908:0] debug: join success 1
[1708008815] unbound[4908:0] debug: cleanup.
[1708008815] unbound[4908:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1708008815] unbound[4908:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
[1708008815] unbound[4908:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1708008815] unbound[4908:0] debug: cache memory msg=33064 rrset=33064 infra=7904 val=33344
[1708008815] unbound[4908:0] debug: comm_point_close of 3: event_del
[1708008815] unbound[4908:0] debug: comm_point_close of 4: event_del
[1708008815] unbound[4908:0] debug: comm_point_close of 7: event_del
[1708008815] unbound[4908:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1708008815] unbound[4908:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
[1708008815] unbound[4908:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1708008815] unbound[4908:0] debug: cache memory msg=33064 rrset=33064 infra=7904 val=33344
[1708008815] unbound[4908:0] debug: comm_point_close of 5: event_del
[1708008815] unbound[4908:0] debug: comm_point_close of 6: event_del
[1708008815] unbound[4908:0] debug: comm_point_close of 9: event_del
[1708008815] unbound[4908:0] debug: Exit cleanup.
[1708008815] unbound[4908:0] debug: switching log to stderr
root@mail /data# unbound -d -v # dns query
<...logs before query>
[1708008568] unbound[4873:1] info: 127.0.0.1 dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: resolving dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: response for dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: reply from <.> 192.5.5.241#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving cz. DNSKEY IN
[1708008568] unbound[4873:1] info: resolving cz. NS IN
[1708008568] unbound[4873:1] info: response for dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving sld3.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving dnssec.cz. DNSKEY IN
[1708008568] unbound[4873:1] info: resolving sld3.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving sld1.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving dnssec.cz. NS IN
[1708008568] unbound[4873:1] info: resolving sld1.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: response for cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <.> 192.5.5.241#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:500:1::53#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <.> 198.97.190.53#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for cz. NS IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:7fe::53#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving b.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving c.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving c.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving d.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving b.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: resolving d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: resolving a.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: response for cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <.> 192.33.4.12#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <.> 199.7.91.13#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for dnssec.cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:7fd::1#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for dnssec.cz. NS IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:500:a8::e#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving cz. DNSKEY IN
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.12.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.13.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.13.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.13.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for dnssec.cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for dnssec.cz. NS IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.12.1#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for cz. NS IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:500:9f::42#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving cz. NS IN
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <.> 2001:500:9f::42#53
[1708008568] unbound[4873:1] info: query response was REFERRAL
[1708008568] unbound[4873:1] info: resolving cz. NS IN
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:1::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.12.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was nodata ANSWER
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:f::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for b.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. A IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld2.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for dnssec.cz. MX IN
[1708008568] unbound[4873:1] info: reply from <dnssec.cz.> 217.31.207.99#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld1.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.14.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for a.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 194.0.12.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for c.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 193.29.206.1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for d.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:11::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for dnssec.cz. NS IN
[1708008568] unbound[4873:1] info: reply from <dnssec.cz.> 217.31.207.99#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for dnssec.cz. DNSKEY IN
[1708008568] unbound[4873:1] info: reply from <dnssec.cz.> 217.31.207.99#53
[1708008568] unbound[4873:1] info: query response was ANSWER
[1708008568] unbound[4873:1] info: response for sld3.ns.nic.cz. AAAA IN
[1708008568] unbound[4873:1] info: reply from <cz.> 2001:678:10::1#53
[1708008568] unbound[4873:1] info: query response was ANSWER
<Ctrl-C>
<...shutdown logs>
I also tried putting nameserver 1.1.1.1
in /etc/resolv.conf, which fixed the ad flag in the dig query, but didn't fix mox's DNSSEC:
root@mail /data# ./mox dns lookup mx dnssec.cz
mx records (2, without dnssec):
- mail.nic.cz., preference 10
- mx.nic.cz., preference 15
root@mail /data# dig dnssec.cz mx
; <<>> DiG 9.18.24 <<>> dnssec.cz mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3896
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.cz. IN MX
;; ANSWER SECTION:
dnssec.cz. 1800 IN MX 10 mail.nic.cz.
dnssec.cz. 1800 IN MX 15 mx.nic.cz.
;; Query time: 64 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Feb 15 14:57:50 UTC 2024
;; MSG SIZE rcvd: 82
tried putting nameserver 1.1.1.1 in /etc/resolv.conf, which fixed the ad flag in the dig query, but didn't fix mox's DNSSEC:
If you add options edns0 trust-ad
on a separate line to /etc/resolv.conf, that should make it work for mox as well.
But the problem lies with unbound. Do you have the root trust anchor file? There should be a config option auto-trust-anchor-file
with a value that could look like /var/lib/unbound/root.key
. It can be fetched/updated with the tool unbound-anchor.
tried putting nameserver 1.1.1.1 in /etc/resolv.conf, which fixed the ad flag in the dig query, but didn't fix mox's DNSSEC:
If you add
options edns0 trust-ad
on a separate line to /etc/resolv.conf, that should make it work for mox as well.But the problem lies with unbound. Do you have the root trust anchor file? There should be a config option
auto-trust-anchor-file
with a value that could look like/var/lib/unbound/root.key
. It can be fetched/updated with the tool unbound-anchor.
Yeah, that was it – I didn't setup the trust anchor. First time setting up unbound for DNSSEC so I had no idea that was necessary and none of the tutorials I found made it clear, thanks so much for the help!
Running
./mox quickstart -hostname mail.<domain>.<tld> admin@<domain>.<tld>
outputs the following warnings:even though running
delv mail.<domain>.<tld>
returns; fully validated
with the correct A and RRSIG records.I'm using unbound with these settings (https://feeding.cloud.geek.nz/posts/setting-up-your-own-dnssec-aware/, plus the 2 lines suggested by mox):
I also tried setting the
/etc/resolv.conf
nameserver to1.1.1.1
or8.8.8.8
to no avail.Will this cause issues as described in the quickstart warnings, or is it safe to ignore?