From b5416462755c9ec3419ea797d6c07436cd105824 Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Thu, 7 Mar 2024 10:47:48 +0100 Subject: [PATCH] be more helpful about instructions for installing unbound and dnssec by mentioning the dnssec root keys, mentioning which unbound version has EDE, giving a "dig" invocation to check for dnssec results. based on issue #131 by romner-set, thanks for reporting --- quickstart.go | 6 ++++-- webadmin/admin.go | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/quickstart.go b/quickstart.go index b90ae83..b2bdddd 100644 --- a/quickstart.go +++ b/quickstart.go @@ -175,12 +175,14 @@ WARNING: It looks like the DNS resolvers configured on your system do not verify DNSSEC, or aren't trusted (by having loopback IPs or through "options trust-ad" in /etc/resolv.conf). Without DNSSEC, outbound delivery with SMTP used unprotected MX records, and SMTP STARTTLS connections cannot verify the TLS -certificate with DANE (based on a public key in DNS), and will fallback to +certificate with DANE (based on a public key in DNS), and will fall back to either MTA-STS for verification, or use "opportunistic TLS" with no certificate verification. Recommended action: Install unbound, a DNSSEC-verifying recursive DNS resolver, -and enable support for "extended dns errors" (EDE): +ensure it has DNSSEC root keys (see unbound-anchor), and enable support for +"extended dns errors" (EDE, available since unbound v1.16.0). Test with +"dig com. ns" and look for "ad" (authentic data) in response "flags". cat </etc/unbound/unbound.conf.d/ede.conf server: diff --git a/webadmin/admin.go b/webadmin/admin.go index 213a6da..39bb8d8 100644 --- a/webadmin/admin.go +++ b/webadmin/admin.go @@ -534,7 +534,7 @@ func checkDomain(ctx context.Context, resolver dns.Resolver, dialer *net.Dialer, if err != nil { addf(&r.DNSSEC.Errors, "Looking up NS for DNS root (.) to check support in resolver for DNSSEC-verification: %s", err) } else if !result.Authentic { - addf(&r.DNSSEC.Warnings, `It looks like the DNS resolvers configured on your system do not verify DNSSEC, or aren't trusted (by having loopback IPs or through "options trust-ad" in /etc/resolv.conf). Without DNSSEC, outbound delivery with SMTP used unprotected MX records, and SMTP STARTTLS connections cannot verify the TLS certificate with DANE (based on a public key in DNS), and will fallback to either MTA-STS for verification, or use "opportunistic TLS" with no certificate verification.`) + addf(&r.DNSSEC.Warnings, `It looks like the DNS resolvers configured on your system do not verify DNSSEC, or aren't trusted (by having loopback IPs or through "options trust-ad" in /etc/resolv.conf). Without DNSSEC, outbound delivery with SMTP uses unprotected MX records, and SMTP STARTTLS connections cannot verify the TLS certificate with DANE (based on public keys in DNS), and will fall back to either MTA-STS for verification, or use "opportunistic TLS" with no certificate verification.`) } else { _, result, _ := resolver.LookupMX(ctx, domain.ASCII+".") if !result.Authentic { @@ -544,7 +544,7 @@ func checkDomain(ctx context.Context, resolver dns.Resolver, dialer *net.Dialer, addf(&r.DNSSEC.Instructions, `Enable DNSSEC-signing of the DNS records of your domain (zone) at your DNS hosting provider.`) - addf(&r.DNSSEC.Instructions, `If your DNS records are already DNSSEC-signed, you may not have a DNSSEC-verifying recursive resolver in use. Install unbound, and enable support for "extended DNS errors" (EDE), for example: + addf(&r.DNSSEC.Instructions, `If your DNS records are already DNSSEC-signed, you may not have a DNSSEC-verifying recursive resolver configured. Install unbound, ensure it has DNSSEC root keys (see unbound-anchor), and enable support for "extended dns errors" (EDE, available since unbound v1.16.0). Test with "dig com. ns" and look for "ad" (authentic data) in response "flags". cat </etc/unbound/unbound.conf.d/ede.conf server: