Issue Getting DANE working

[Polli]

follow in your footsteps. The only thing I think I did different from you was to add dns configuration at the server level, in the plesk interface:

What do you mean with server level?

I get these error message when I add these entrys:

dnsmng failed: /etc/named-user-options.conf:4: option 'dnssec-enable' no longer exists

 

[ivanes82]

Follow this path in the plesk interface.

Plesk => Tools and Settings => DNS Settings => Server-wide Settings => Additional DNS Settings

 

[ivanes82]

Right, I created that file with nothing in it. The file did not exist on my system.

 

[Polli]

Follow this path in the plesk interface.

Plesk => Tools and Settings => DNS Settings => Server-wide Settings => Additional DNS Settings

I did, but I get errors. I tried these, but it won´t get saved.

version "none";
auth-nxdomain no;
max-records-per-type 0;
dnssec-enable yes;
dnssec-validation auto;
managed-keys-directory "/var/named/dynamic";

 

[ivanes82]

I did, but I get errors. I tried these, but it won´t get saved.

version "none";
auth-nxdomain no;
max-records-per-type 0;
dnssec-enable yes;
dnssec-validation auto;
managed-keys-directory "/var/named/dynamic";

what errors?

 

[Polli]

what errors?

Im on Debian12.9 using Bind9. I think that Bind don´t like dnssec-enable command.

dnsmng failed: /etc/named-user-options.conf:4: option 'dnssec-enable' no longer exists

 

[ivanes82]

Im on Debian12.9 using Bind9. I think that Bind don´t like dnssec-enable command.

dnsmng failed: /etc/named-user-options.conf:4: option 'dnssec-enable' no longer exists

Did you create that file? I had to create it.
If you did it and the error persists I can't help you, see if there is someone on the forum who is more familiar with this.

 

[ivanes82]

Chatgpt tells me that your version is newer than mine, and that the correct form for that version is this one:

dnssec-validation auto;
managed-keys-directory "/var/named/dynamic";

the path /var/named/dynamic I don't know if it corresponds to the one on your system.

 

[Polli]

Chatgpt tells me that your version is newer than mine, and that the correct form for that version is this one:

dnssec-validation auto;
managed-keys-directory "/var/named/dynamic";

the path /var/named/dynamic I don't know if it corresponds to the one on your system.

I found my path, but it wont work. Postfix is reloading again and again after I restart Bind9 with these settings.

version "none";
auth-nxdomain no;
max-records-per-type 0;
dnssec-validation auto;
managed-keys-directory "/var/cache/bind/";

 

[Polli]

I dont know why this wont work. The tool at Check a DANE SMTP Service tells me everything is fine:

Domain Name: oliver-tief.de

MX host: 10 mail.oliver-tief.de.

#################################################################
### CHECKING MX HOST: mail.oliver-tief.de.
#################################################################
Host: mail.oliver-tief.de. Port: 25
SNI: mail.oliver-tief.de.
STARTTLS application: smtp
DNS TLSA RRset:
  qname: _25._tcp.mail.oliver-tief.de.
  3 0 1 b44cd47fbc05bd9aad046bf6fb6772a0e52332c766facb3aaf2e6433903cffea
IP Addresses found:
  62.138.14.246

## Checking mail.oliver-tief.de. 62.138.14.246 port 25
DANE TLSA 3 0 1 [b44cd47f..]: OK matched EE certificate
## STARTTLS Transcript:
recv: 220 mail.leagues-united.de ESMTP Postfix (Debian/GNU)
send: EHLO cheetara.huque.com
recv: 250-mail.leagues-united.de
recv: 250-PIPELINING
recv: 250-SIZE 102400000
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250-DSN
recv: 250 CHUNKING
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
## Peer Certificate Chain:
   0 CN=oliver-tief.de
     CN=R11,O=Let's Encrypt,C=US
   1 CN=R11,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## PKIX Certificate Chain 0:
   0 CN=oliver-tief.de
     CN=R11,O=Let's Encrypt,C=US
   1 CN=R11,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
   2 CN=ISRG Root X1,O=Internet Security Research Group,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## DANE Certificate Chain 0:
   0 CN=oliver-tief.de
     CN=R11,O=Let's Encrypt,C=US
   1 CN=R11,O=Let's Encrypt,C=US
     CN=ISRG Root X1,O=Internet Security Research Group,C=US
## TLS Connection Info:
   TLS version: 1.3
   CipherSuite: TLS_AES_128_GCM_SHA256
## End-Entity Certificate Info:
   X509 version: 3
   Serial#: 39f921d0c44c18912866d118ba9f006caf8
   Subject: CN=oliver-tief.de
   Issuer:  CN=R11,O=Let's Encrypt,C=US
   SAN dNSName: *.oliver-tief.de
   SAN dNSName: oliver-tief.de
   SAN dNSName: polli-online.de
   SAN dNSName: tontechnik-tief.de
   SAN dNSName: www.polli-online.de
   SAN dNSName: www.tontechnik-tief.de
   Signature Algorithm: SHA256-RSA
   PublicKey Algorithm: RSA 2048-Bits
   Inception:  2025-01-14 20:18:31 +0000 UTC
   Expiration: 2025-04-14 20:18:30 +0000 UTC
   KU: DigitalSignature KeyEncipherment
   EKU: ServerAuth ClientAuth
   Is CA?: false
   SKI: 98dae1bcab4659a7c6e2285224c4838d36c8e4df
   AKI: c5cf46a4eaf4c3c07a6c95c42db05e922f26e3b9
   OSCP Servers: [http://r11.o.lencr.org]
   CA Issuer URL: [http://r11.i.lencr.org/]
   CRL Distribution: []
   Policy OIDs: [2.23.140.1.2.1]
Result: DANE OK

[0] Authentication succeeded for all (1) peers.

My logs shows me this:

2025-01-17 18:47:14    postfix/smtpd [1642773] disconnect from cheetara.huque.com[50.116.63.23] ehlo=1 starttls=1 commands=2
2025-01-17 18:47:14    postfix/smtpd [1642773] lost connection after STARTTLS from cheetara.huque.com[50.116.63.23]
2025-01-17 18:47:14    postfix/smtpd [1642773] Anonymous TLS connection established from cheetara.huque.com[50.116.63.23] to mail.oliver-tief.de: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
2025-01-17 18:47:13    postfix/smtpd [1642773] connect from cheetara.huque.com[50.116.63.23]

With my mail clients i allways get untrusted TLS connection when sending mails. It seems that my mailserver don´t check for DANE connection. How can I solve this?

Thanks for your help