BIND - Zone delegation using DNSSEC / LetsEncrypt issues

Operating system:Ubuntu Linux
OS version: 20.04.2

Good evening guys,

I made a default install of Virtualmin on Ubuntu Cloud Server. When asked for the hostname and default domain in the installer I entered

BIND created a single zone which doesn’t seem to want to authenticate with LetsEncrypt for an SSL cert via either HTTP or DNS, possibly due to the zone chain being broken? LetsEncrypt gives DNS errors when trying to request the cert while DNS lookups anywhere else have no problems.

When DNSSEC was enabled this instantly started causing problems too as there was no zone in between and .com as such I created a zone to complete the DNSSEC authentication chain. How should delegation records be added in the parent zone exactly? Whatever I add is throwing up the following error when authenticating the DNSSEC chain: to No delegation NS records were detected in the parent zone ( This results in an NXDOMAIN response to a DS query (for DNSSEC).

Hopefully once this is resolved LetsEncrypt will start to resolve the servers and issue SSL certs for the

Any ideas?


Issue is as per the link above. Virtualmin however gives the following error when trying to do this:

‘DNSSEC signing after records change failed : dnssec-signzone: fatal: ‘’: found DS RRset without NS RRset’

Only 1 DS record available in the child zones DNSSEC Key page, is this the issue?

Seems the issue was just formatting.

RRset parent domain records need the FQDN set not just the subdomain. i.e: IN A IN NS IN NS

LetsEncrypt certificates issued. :slight_smile:

:+1: :+1:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.