mirror of
https://github.com/mjl-/mox.git
synced 2024-12-27 08:53:48 +03:00
give more helpful pointers for dns-related settings
in quickstart, add troubleshooting hints. in suggested dns records, explain the multiline long dkim record should probably be converted into a single string. the quickstart output is quite long already. i'm hoping for a "mox setup" in the future where we help a user step-by-step to a fully working system. we'll have more space to prevent hints and check the settings after a user made changes. it's on the roadmap. based on issues #158 and #164, thanks vipas84 and RobSlgm for reporting and discussion.
This commit is contained in:
parent
30ac690c8f
commit
83004bb18e
2 changed files with 21 additions and 3 deletions
|
@ -803,7 +803,9 @@ func DomainRecords(domConf config.Domain, domain dns.Domain, hasDNSSEC bool, cer
|
||||||
|
|
||||||
if len(txt) > 100 {
|
if len(txt) > 100 {
|
||||||
records = append(records,
|
records = append(records,
|
||||||
"; NOTE: The following strings must be added to DNS as single record.",
|
"; NOTE: The following is a single long record split over several lines for use",
|
||||||
|
"; in zone files. When adding through a DNS operator web interface, combine the",
|
||||||
|
"; strings into a single string, without ().",
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
s := fmt.Sprintf("%s._domainkey.%s. TXT %s", name, d, TXTStrings(txt))
|
s := fmt.Sprintf("%s._domainkey.%s. TXT %s", name, d, TXTStrings(txt))
|
||||||
|
|
|
@ -183,8 +183,10 @@ verification.
|
||||||
|
|
||||||
Recommended action: Install unbound, a DNSSEC-verifying recursive DNS resolver,
|
Recommended action: Install unbound, a DNSSEC-verifying recursive DNS resolver,
|
||||||
ensure it has DNSSEC root keys (see unbound-anchor), and enable support for
|
ensure it has DNSSEC root keys (see unbound-anchor), and enable support for
|
||||||
"extended dns errors" (EDE, available since unbound v1.16.0). Test with
|
"extended dns errors" (EDE, available since unbound v1.16.0, see below; not
|
||||||
"dig com. ns" and look for "ad" (authentic data) in response "flags".
|
required, but it gives helpful error messages about DNSSEC failures instead of
|
||||||
|
generic DNS SERVFAIL errors). Test with "dig com. ns" and look for "ad"
|
||||||
|
(authentic data) in response "flags".
|
||||||
|
|
||||||
cat <<EOF >/etc/unbound/unbound.conf.d/ede.conf
|
cat <<EOF >/etc/unbound/unbound.conf.d/ede.conf
|
||||||
server:
|
server:
|
||||||
|
@ -192,6 +194,20 @@ server:
|
||||||
val-log-level: 2
|
val-log-level: 2
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
Troubleshooting hints:
|
||||||
|
- Ensure /etc/resolv.conf has "nameserver 127.0.0.1". If the IP is 127.0.0.53,
|
||||||
|
DNS resolving is done by systemd-resolved. Make sure "resolvconf" isn't
|
||||||
|
overwriting /etc/resolv.conf (Debian has a package "openresolv" that makes this
|
||||||
|
easier). "dig" also shows to which IP the DNS request was sent.
|
||||||
|
- Ensure unbound has DNSSEC root keys available. See unbound config option
|
||||||
|
"auto-trust-anchor-file" and the unbound-anchor command. Ensure the file exists.
|
||||||
|
- Run "./mox dns lookup ns com." to simulate the DNSSEC check done by mox. The
|
||||||
|
output should say "with dnssec".
|
||||||
|
- The "delv" command can check whether a domain is DNSSEC-signed, but it does
|
||||||
|
its own DNSSEC verification instead of relying on the resolver, so you cannot
|
||||||
|
use it to check whether unbound is verifying DNSSEC correctly.
|
||||||
|
- Increase logging in unbound, see options "verbosity" and "log-queries".
|
||||||
|
|
||||||
`)
|
`)
|
||||||
} else {
|
} else {
|
||||||
fmt.Println(" OK")
|
fmt.Println(" OK")
|
||||||
|
|
Loading…
Reference in a new issue