DNSSEC and nsupdate issue and how I fixed it

OS type and version Ubuntu 22.04.4
Webmin version 2.111
Virtualmin version 7.10.0
Related packages Bind

So I wanted to setup a dynamic dns zone for myself. At first all I could find was old information about using dnssec-keygen and those commands kept failing. I eventually discovered and used ddns-confgen, got my key inserted into named.conf.local and added my update-policy.

Gravy! This should work for me. However, named kept complaining it couldn’t find the private keys, which I could clearly see were nestled in /var/lib/bind with my other domains’ keys. I could sign/resign the zone just fine through Webmin. I checked permissions, thinking maybe named couldn’t read them. All readable, root:bind owned. What?

Then after more searching, I came to discover that named.conf.options didn’t have a key-directory option set. So I gave it a key-directory “/var/lib/bind” line and boom! Problem finally solved, nsupdate was working for my little slice of dynamic dns pie.

I don’t have quite the flare to really show off the day I’ve had trying to get what I thought would be a simple setup working, but I wanted to leave this here in case anyone else searching for this niche issue might find it and be helped.

I’m guessing virtualmin uses the keys with an absolute path when it issues signing commands? I was quite confused when I saw the errors in my logs, because everything has been working great otherwise. Anyway, thanks for reading my silly victory post, have a great day!

I think you posting the wrong name, dnssec isn’t dynamic dns DDNS

No, my issue was with dnssec when I tried to push the record update via nsupdate. The system couldn’t write/sign the zone because named couldn’t find the private keys. It just didn’t happen with normal dnssec signing, I assume because virtualmin or whatever script passes the absolute path of the key when it signs the zone.