diff --git a/mox-/admin.go b/mox-/admin.go index d36cf44..497328e 100644 --- a/mox-/admin.go +++ b/mox-/admin.go @@ -803,7 +803,9 @@ func DomainRecords(domConf config.Domain, domain dns.Domain, hasDNSSEC bool, cer if len(txt) > 100 { records = append(records, - "; NOTE: The following strings must be added to DNS as single record.", + "; NOTE: The following is a single long record split over several lines for use", + "; in zone files. When adding through a DNS operator web interface, combine the", + "; strings into a single string, without ().", ) } s := fmt.Sprintf("%s._domainkey.%s. TXT %s", name, d, TXTStrings(txt)) diff --git a/quickstart.go b/quickstart.go index 1bf4e69..1bedb46 100644 --- a/quickstart.go +++ b/quickstart.go @@ -183,8 +183,10 @@ verification. Recommended action: Install unbound, a DNSSEC-verifying recursive DNS resolver, ensure it has DNSSEC root keys (see unbound-anchor), and enable support for -"extended dns errors" (EDE, available since unbound v1.16.0). Test with -"dig com. ns" and look for "ad" (authentic data) in response "flags". +"extended dns errors" (EDE, available since unbound v1.16.0, see below; not +required, but it gives helpful error messages about DNSSEC failures instead of +generic DNS SERVFAIL errors). Test with "dig com. ns" and look for "ad" +(authentic data) in response "flags". cat </etc/unbound/unbound.conf.d/ede.conf server: @@ -192,6 +194,20 @@ server: val-log-level: 2 EOF +Troubleshooting hints: +- Ensure /etc/resolv.conf has "nameserver 127.0.0.1". If the IP is 127.0.0.53, + DNS resolving is done by systemd-resolved. Make sure "resolvconf" isn't + overwriting /etc/resolv.conf (Debian has a package "openresolv" that makes this + easier). "dig" also shows to which IP the DNS request was sent. +- Ensure unbound has DNSSEC root keys available. See unbound config option + "auto-trust-anchor-file" and the unbound-anchor command. Ensure the file exists. +- Run "./mox dns lookup ns com." to simulate the DNSSEC check done by mox. The + output should say "with dnssec". +- The "delv" command can check whether a domain is DNSSEC-signed, but it does + its own DNSSEC verification instead of relying on the resolver, so you cannot + use it to check whether unbound is verifying DNSSEC correctly. +- Increase logging in unbound, see options "verbosity" and "log-queries". + `) } else { fmt.Println(" OK")