DANE configuration

[morki]

When I test settings in mox admin, it shows DANE: OK:

But when I click the link in bottom Check configuration at internet.nl, it shows DANE is not configured.

https://internet.nl/mail/morki.cz/1277684/

Do I need to do something manually?

[mjl-]

Hi @morki, indeed this doesn't look helpful. Could it be that the public listener in mox.conf doesn't have host keys? For example, my mox.conf has this:

Listeners:
        public:
                TLS:
                        HostPrivateKeyFiles:
                                - hostkeys/mail.axillis.nl.20231009T215235.rsa2048.privatekey.pkcs8.pem
                                - hostkeys/mail.axillis.nl.20231009T215235.ecdsap256.privatekey.pkcs8.pem

If the "HostPrivateKeyFiles" isn't present, then mox currently isn't expecting to find any DANE records, which could be the reason it's claiming all is good. It could also be that mox is doing MX lookups and not getting any records for a domain. That could perhaps happen if the entire domain was set up just now, and a dns cache still has the "no mx records exist" present in its cache.

Are you seeing the "Show instructions" link like on the included screenshot? If not, it's probably a case of missing host keys. See command "mox config ensureacmehostprivatekeys" for creating these host keys, https://pkg.go.dev/github.com/mjl-/mox#hdr-mox_config_ensureacmehostprivatekeys. After they are created, the mox dnscheck should show instructions and say that records are missing. This should only be necessary if you initially installed mox some time ago, when DANE wasn't implemented yet. If this is needed on a fresh new install, I would have to look into that.

I think we should change the dns check page to display a yellow "Not configured" instead of "OK" if no host keys are configured.

[morki]

The command did nothing. I think it is somehow related to fact that i am using existing webserver (caddy). Is it required to use mox ACME to use DANE? Can I help you by sending configs or something else?

[mjl-]

ACME isn't required for using DANE with mox, but that command indeed only works with ACME configured in mox.

You can manually configure host keys to use with DANE. I'm assuming caddy is requesting certificates using ACME. You have to be careful about the key used for those certificates: If caddy generates a new key each time it requests a new certificate, the DANE DNS records also need to change. If you don't change the DANE DNS records when the TLS key changes, then DANE will break.

There is a complication with automating key rotation: The DANE DNS records have a TTL. When rotating TLS keys, you must first add DANE records for the new key, wait for the TTL (old records may still be in a DNS cache somewhere), then you can start using the new cert & key and remove the old DANE records. So it's not as simple as a one-shot script when a new key is generated.

Mox currently doesn't request a new key when a new certificate is requested: mox requests a new certificate for the current key. That's why mox doesn't have to rotate DANE records. Perhaps you can configure caddy the same way. If you want to enable DANE, I think this is the way to go forward. I know certbot has an option to keep using the key instead of generating a new one. I did a quick search, perhaps option "reuse_private_keys" on https://caddyserver.com/docs/caddyfile/directives/tls will do the trick. Once that is enabled, you can configure the tls keys in mox.conf under HostPrivateKeyFiles, and mox will show the expected DANE DNS records and check for them.

I still think the dns check page should not indicate "OK" for DANE, but show a warning that DANE isn't configured, I'll see if I can get that in quickly.

In the future, I want mox to generate new TLS keys for each new ACME certificate, and automatically make the DANE DNS changes, taking TTL expiration into account. But that requires new capabilities, to make changes in DNS. It's on the roadmap, hopefully for later this year.

[mjl-]

@morki the latest commit should stop showing the green "OK" and starting showing a yellow "DANE not configured" message, along with instructions to configure static tls host keys. thanks for reporting.

i hope the above helps. if you run into issues configuring host keys and/or dane, i'm interesting in hearing about it.

[morki]

Thank you very much, I resolved it using your excellent tutorial (using caddy keys with reuse_private_keys). Now it seems to be OK, as seen here: https://internet.nl/mail/morki.cz/1277836/