mirror of
https://github.com/mjl-/mox.git
synced 2024-12-26 16:33:47 +03:00
give more helpful pointers for dns-related settings
in quickstart, add troubleshooting hints. in suggested dns records, explain the multiline long dkim record should probably be converted into a single string. the quickstart output is quite long already. i'm hoping for a "mox setup" in the future where we help a user step-by-step to a fully working system. we'll have more space to prevent hints and check the settings after a user made changes. it's on the roadmap. based on issues #158 and #164, thanks vipas84 and RobSlgm for reporting and discussion.
This commit is contained in:
Mechiel Lukkien
parent
30ac690c8f
commit
83004bb18e
2 changed files with 21 additions and 3 deletions
|
|
@ -803,7 +803,9 @@ func DomainRecords(domConf config.Domain, domain dns.Domain, hasDNSSEC bool, cer
|
|||
|
||||
if len(txt) > 100 {
|
||||
records = append(records,
|
||||
"; NOTE: The following strings must be added to DNS as single record.",
|
||||
"; NOTE: The following is a single long record split over several lines for use",
|
||||
"; in zone files. When adding through a DNS operator web interface, combine the",
|
||||
"; strings into a single string, without ().",
|
||||
)
|
||||
}
|
||||
s := fmt.Sprintf("%s._domainkey.%s. TXT %s", name, d, TXTStrings(txt))
|
||||
|
|
|
|||
|
|
@ -183,8 +183,10 @@ verification.
|
|||
|
||||
Recommended action: Install unbound, a DNSSEC-verifying recursive DNS resolver,
|
||||
ensure it has DNSSEC root keys (see unbound-anchor), and enable support for
|
||||
"extended dns errors" (EDE, available since unbound v1.16.0). Test with
|
||||
"dig com. ns" and look for "ad" (authentic data) in response "flags".
|
||||
"extended dns errors" (EDE, available since unbound v1.16.0, see below; not
|
||||
required, but it gives helpful error messages about DNSSEC failures instead of
|
||||
generic DNS SERVFAIL errors). Test with "dig com. ns" and look for "ad"
|
||||
(authentic data) in response "flags".
|
||||
|
||||
cat <<EOF >/etc/unbound/unbound.conf.d/ede.conf
|
||||
server:
|
||||
|
|
@ -192,6 +194,20 @@ server:
|
|||
val-log-level: 2
|
||||
EOF
|
||||
|
||||
Troubleshooting hints:
|
||||
- Ensure /etc/resolv.conf has "nameserver 127.0.0.1". If the IP is 127.0.0.53,
|
||||
DNS resolving is done by systemd-resolved. Make sure "resolvconf" isn't
|
||||
overwriting /etc/resolv.conf (Debian has a package "openresolv" that makes this
|
||||
easier). "dig" also shows to which IP the DNS request was sent.
|
||||
- Ensure unbound has DNSSEC root keys available. See unbound config option
|
||||
"auto-trust-anchor-file" and the unbound-anchor command. Ensure the file exists.
|
||||
- Run "./mox dns lookup ns com." to simulate the DNSSEC check done by mox. The
|
||||
output should say "with dnssec".
|
||||
- The "delv" command can check whether a domain is DNSSEC-signed, but it does
|
||||
its own DNSSEC verification instead of relying on the resolver, so you cannot
|
||||
use it to check whether unbound is verifying DNSSEC correctly.
|
||||
- Increase logging in unbound, see options "verbosity" and "log-queries".
|
||||
|
||||
`)
|
||||
} else {
|
||||
fmt.Println(" OK")
|
||||
|
|
|
|||
Loading…
Reference in a new issue