Quote:
Originally Posted by KingOfTheData
That's correct, when I switched to G Suite, I only updated the MX Records. So I'm not quite sure how they have a "work around" to still resolve even with DNSSEC issues.
When I self hosted my own email server, I did update/change the DNSSEC to work with my email server. This was recommended for the email set up that I used. So it definitely makes sense that my self hosted solution would receive these emails, because the DNSSEC was set up properly to match my self hosted setup.
|
You mentioned you tried G Suite
after you set up your self-hosted server... did you change the DNS back to your original DNS hosting at that point?
Quote:
I did try pointing my nameservers directly to Fastmail but this did not resolve the issue. In fact, when the issue started, my nameservers were pointed to fastmail. But I set these back to the default nameservers and set up mx records instead.
|
Yeah, that wouldn't have helped, as from what you indicated above it sounds like the DS record was still published by the registrar until you removed it. Essentially, as long as there's a DS record published for a given domain, everything querying that domain will expect to find it signed with a DNSSEC key that matches the DS record, and essentially fail if that signature isn't valid. A missing signature is the same as an invalid one, of course, since that's kind of the point of DNSSEC — to prevent somebody from hijacking your domain by setting up their own name servers for it.
Frankly, as far as the DNSSEC system was concerned, the domain
was being hijacked.... it has no way of knowing that you were the one actually doing the hijacking
I went though something similar when I switched my DNS over to FastMail, although in my case I
did disable DNSSEC before changing the NS records to FastMail, but my registrar didn't properly remove the DS record.