BIND - Zone delegation using DNSSEC / LetsEncrypt issues

Operating system:Ubuntu Linux
OS version: 20.04.2

Good evening guys,

I made a default install of Virtualmin on Ubuntu Cloud Server. When asked for the hostname and default domain in the installer I entered host.domain.com

BIND created a single zone host.domain.com which doesn’t seem to want to authenticate with LetsEncrypt for an SSL cert via either HTTP or DNS, possibly due to the zone chain being broken? LetsEncrypt gives DNS errors when trying to request the cert while DNS lookups anywhere else have no problems.

When DNSSEC was enabled this instantly started causing problems too as there was no zone in between host.domain.com and .com as such I created a domain.com zone to complete the DNSSEC authentication chain. How should delegation records be added in the parent zone exactly? Whatever I add is throwing up the following error when authenticating the DNSSEC chain:

domain.com to host.domain.com: No delegation NS records were detected in the parent zone (domain.com). This results in an NXDOMAIN response to a DS query (for DNSSEC).

Hopefully once this is resolved LetsEncrypt will start to resolve the ns.domain.com servers and issue SSL certs for the host.domain.com

Any ideas?

Cheers

https://help.directadmin.com/item.php?id=652

Issue is as per the link above. Virtualmin however gives the following error when trying to do this:

‘DNSSEC signing after records change failed : dnssec-signzone: fatal: ‘host.domain.com’: found DS RRset without NS RRset’

Only 1 DS record available in the child zones DNSSEC Key page, is this the issue?

Seems the issue was just formatting.

RRset parent domain records need the FQDN set not just the subdomain. i.e:

host.domain.com. IN A 11.11.111.111
host.domain.com. IN NS ns1.domain.com.
host.domain.com. IN NS ns2.domain.com.

LetsEncrypt certificates issued.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.