On two different CentOS 7 servers, Virtualmin GPL would not let an end-user reload a DNS zone. The following might save you tearing your hair out.
On CentOS 7.2.151 we have BIND 9.9.4. If you have Virtualmin 5.0.gpl (and presumably Virtualmin Pro since the DNS back-end is probably the same), end users might be unable to apply zone config for a DNS zone. The error is that /etc/rndc.conf is not found. However, in BIND 9.9.4, as supplied with CentOS 7, it’s normal for that file to not exist. Instead, BIND uses /etc/rndc.key.
The solution is NOT to do “BIND DNS Server => Setup RNDC => Yes, Setup RNDC”. Doing so may leave your named.conf incompatible with the “rndc” command. As a result, all BIND configuration reloads will fail if done by rndc, even if initiated by the admin of the server, even at the command line, even logged in as root.
If this happens, you will need to manually edit /etc/named.conf and remove the lines near the end that were added by Setup RNDC, which are shown below.
key rndc-key {
algorithm hmac-md5;
secret “… some string …”;
};
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
};
The above lines are not needed. Edit them out (but save a copy of the original named.conf, just in case).
Also delete /etc/rndc.conf (but save a copy somewhere, just in case.)
After removing the above lines and /etc/rndc.conf, manually restart BIND, e.g., “systemctl restart named”.
To fix the zone reload problem, adjust the DNS configuration of the end user:
Webmin => Webmin Users => username => Click here to bypass this warning => Available Webmin modules -> BIND DNS Server => Can stop, start and apply?.
Change the “Can stop, start and apply?” to “Only apply configuration.”
This will mean that each time the end user changes anything in his own DNS zone, he will then cause the entire /etc/named.conf file to be reloaded by Bind.
One more thing you can do to improve the situation is this. By default, it seems that Virtualmin reloads named.conf by stopping and restarting Bind. This means that if there’s a syntax error in named.conf, BIND will not restart, leaving you without DNS. Change the option to use rndc reload instead, like this.
Webmin => BIND DNS Server => Module Config => System Configuration => Command to apply BIND configuration.
Change this to “Other command” and enter the command as “/sbin/rndc reload”.
Now BIND will never have to stop and restart. Instead, it will try to reload itself, and it will keep going even if it sees syntax errors anywhere.
All of this is clearly suboptimal, but it’s the only workaround I found.