Are you sure that you’re having and running the latest Virtualmin 6.17-3 installed?
I really cannot reproduce and witness DNSSEC keys being changing on saving virtual-server.name - Server Configuration ⇾ DNS Options page. It shouldn’t be happening unless you intentionally toggle DNSSEC signature enabled option.
Perhaps, the workaround would be is to disable DNS domain enabled feature on virtual-server.name - Edit Virtual Server page and then re-enable it. Be careful, it will reset domain’s DNS zone record to default.
Afterwards try enabling DNSSEC signature enabled option and later checking if the issue is still happening?
Just tried to your workaround, unfortunately without any luck.
I disabled DNSSEC and disabled DNS domain enabled and enabled it again like you suggested. I then selected my domain in Webmin → Servers → BIND DNS Servers : Existing DNS Zones, then Setup DNSSEC key
In Virtualmin → Server Configuration → DNS Options. The DNSSEC signature enabled is Yes and DNSSEC zone keys exist.
If at that point I hit the Save the keys go away and signature enabled is disabled. Enabling it here will not work.
I can confirm some of the weird behavior here. It is really a problem as any action taken in Virtualmin’s “DNS Options”, generates a new DS. So this means, for me at least, that domain is down and have to input the new DS to the register, but for the regular users it is a problem. I guess it shouldn’t happen, not a desired outcome, given that regular users will use that area and in doing so they will break DNS resolution for no reason at all. Plus, if they access VIrtualmin via their domain.name:port I guess they are also locked out of Virtualmin, the only alternative being of course direct IP or the name of the server itself, not very friendly and maybe not known.
What is more interesting is I get a lot of email warnings everyday about all the domains that can’t be signed (it is super to get notified, not about that), but including the ones that shouldn’t have DNSSEC enabled and that don’t have any keys… In fact given that the DNSSEC domains mostly work, I get only emails about the ones that shouldn’t have DNSSC.
– FolowUp —
So the master zone key for the domain file is changed due to :
cd /var/named/dskeys && dnssec-keygen -a RSASHA256 -b 3072 -n ZONE -r /dev/urandom domain.tld
cd /var/named/dskeys && dnssec-keygen -a RSASHA256 -b 3072 -n ZONE -f KSK -r /dev/urandom domain.tld
After that the zone is resigned …
cd /var/named/dskeys && dnssec-signzone -o domain.tld -3 - -u -f /var/named/masters/domain.tld.hosts.webmin-signed /var/named/masters/domain.tld.hosts
The Zone file from “create /var/named/masters/” command adds all the new records and restarts bind after assuming the key generated just then, and overwriting the actual key that i updated the registrar whit.
The new KeyFiles *.key and *.private overwrite the old id and the key is lost…
Hello,
since one of the latest updates i’ve here a lot of problems with dnssec enabled domains. Wich files i’ve to replace in Webmin und the payed version of virtualmin and what to do to make it work again. Thank you for your help.
I can also confirm that with the replacement of the feature-dns.pl file everything is ok now. What I also noticed is that all secondary DNS entries and also the IP addresses of these for notification were gone for the domains where dnssec is enabled. I had to add these again, then everything was ok.