serv/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2024-12-26 16:33:47 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

give more helpful pointers for dns-related settings

Browse source 
in quickstart, add troubleshooting hints.
in suggested dns records, explain the multiline long dkim record should
probably be converted into a single string.

the quickstart output is quite long already. i'm hoping for a "mox setup" in
the future where we help a user step-by-step to a fully working system. we'll
have more space to prevent hints and check the settings after a user made
changes. it's on the roadmap.

based on issues #158 and #164, thanks vipas84 and RobSlgm for reporting and
discussion.
This commit is contained in:
Mechiel Lukkien 2024-05-09 17:28:29 +02:00
parent 30ac690c8f
commit 83004bb18e
No known key found for this signature in database
2 changed files with 21 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
mox-/admin.go
View file

@ -803,7 +803,9 @@ func DomainRecords(domConf config.Domain, domain dns.Domain, hasDNSSEC bool, cer
if len(txt) > 100 { if len(txt) > 100 {
records = append(records, records = append(records,
"; NOTE: The following strings must be added to DNS as single record.", "; NOTE: The following is a single long record split over several lines for use",
"; in zone files. When adding through a DNS operator web interface, combine the",
"; strings into a single string, without ().",
) )
} }
s := fmt.Sprintf("%s._domainkey.%s. TXT %s", name, d, TXTStrings(txt)) s := fmt.Sprintf("%s._domainkey.%s. TXT %s", name, d, TXTStrings(txt))

20
quickstart.go
View file

@ -183,8 +183,10 @@ verification.
Recommended action: Install unbound, a DNSSEC-verifying recursive DNS resolver, Recommended action: Install unbound, a DNSSEC-verifying recursive DNS resolver,
ensure it has DNSSEC root keys (see unbound-anchor), and enable support for ensure it has DNSSEC root keys (see unbound-anchor), and enable support for
"extended dns errors" (EDE, available since unbound v1.16.0). Test with "extended dns errors" (EDE, available since unbound v1.16.0, see below; not
"dig com. ns" and look for "ad" (authentic data) in response "flags". required, but it gives helpful error messages about DNSSEC failures instead of
generic DNS SERVFAIL errors). Test with "dig com. ns" and look for "ad"
(authentic data) in response "flags".
cat <<EOF >/etc/unbound/unbound.conf.d/ede.conf cat <<EOF >/etc/unbound/unbound.conf.d/ede.conf
server: server:
@ -192,6 +194,20 @@ server:
val-log-level: 2 val-log-level: 2
EOF EOF
Troubleshooting hints:
- Ensure /etc/resolv.conf has "nameserver 127.0.0.1". If the IP is 127.0.0.53,
DNS resolving is done by systemd-resolved. Make sure "resolvconf" isn't
overwriting /etc/resolv.conf (Debian has a package "openresolv" that makes this
easier). "dig" also shows to which IP the DNS request was sent.
- Ensure unbound has DNSSEC root keys available. See unbound config option
"auto-trust-anchor-file" and the unbound-anchor command. Ensure the file exists.
- Run "./mox dns lookup ns com." to simulate the DNSSEC check done by mox. The
output should say "with dnssec".
- The "delv" command can check whether a domain is DNSSEC-signed, but it does
its own DNSSEC verification instead of relying on the resolver, so you cannot
use it to check whether unbound is verifying DNSSEC correctly.
- Increase logging in unbound, see options "verbosity" and "log-queries".
`) `)
} else { } else {
fmt.Println(" OK") fmt.Println(" OK")