Covering NSEC3 was not opt-out in an opt-out DS NOERROR/NODATA case

tmiland · July 11, 2022, 7:38am

SYSTEM INFORMATION
OS type and version	Debian Linux 11
Webmin version	1.994
Virtualmin version	7.1-1 Pro

Hello,
recently i get this error trying to renew certificates for all CNAME alias subdomains:


DNSLookupFailed
Fatal
A fatal issue occurred during the DNS lookup process for sub.domain.com/CAA.
DNS response for sub.domain.com had fatal DNSSEC issues: validation failure <sub.domain.com. CAA IN>: covering NSEC3 was not opt-out in an opt-out DS NOERROR/NODATA case from 123.456.78.910 for DS dyndns.domain.com. while building chain of trust

This was previously working, no changes has been made, except from updating packages/virtualmin/webmin.

Any ideas how to get this working again?

Regards.

tmiland · July 12, 2022, 7:52am

Did some more debugging using https://dnsviz.net, got this error:

domain.com to sub.domain.com: No delegation NS records were detected in the parent zone (domain.com). This results in an NXDOMAIN response to a DS query (for DNSSEC), even if the parent servers are authoritative for the child.

tmiland · July 12, 2022, 6:49pm

Solved by deleting the CNAME record, added A record, renewed cert, deleted A record and re-added CNAME record.

system · July 20, 2022, 6:49pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.