DNSSEC problems

SYSTEM INFORMATION
OS type and version Debian Linux 11
Webmin version 1.999
Virtualmin version 7.1-1
Related packages BIND 9.11

Got this issue, after upgrading from Debian 10 to 11:

Re-signing of mumu.ro failed : Failed to generate new zone key : dnssec-keygen: fatal: The -r option has been deprecated.
System random data is always used.

Anything I/you can do about it, didn’t see that lately? There is another post with something similar but no answers, guess it was before you started working on Debian 11 compatibility Dnssec-keygen: fatal: The -r option has been deprecated - DNSSEC cannot be enabled on Debian 11 (bullseye)

BTW it happens on both Pro and GPL

1 Like

Hello,

What is the output of cat /etc/webmin/bind8/version on those systems which have that issue?

Thank you once again for responding Ilia!
9.11 exactly like in the field I filled, on both Pro and GPL

If you delete this file and re-visit Webmin BIND module – does the version gets updated?

You are right of course, there is a mismatch; never thought that accessing the page triggers a version check. It turns out that it is enough to just visit it and not delete the file first:

[root@ ~]# cat /etc/webmin/bind8/version
9.11
[root@ ~]# cat /etc/webmin/bind8/version
9.16

I will wait for the automatic resign to try again and post back if I still have that error. Thanks!

We stopped using DNSSEC with Virtualmin because of this bug but also other bugs with DNSSEC. For example you cannot disable DNSSEC from within the UI (only via console) as described here:

Also when you change for example an SPF setting or anything else within the “DNS options” Virtualmin generates completely new DNSSEC keys which need to be entered in the registrar again causing downtime of the domain and other issues. Not sure if it has to be like that to be honest but it’s really annoying. This needs to be better. As it is now it’s just impractical and the risk for something to break is too big.

I do not agree, not completely. It has some quirks as I also posted here DNSSEC keys changed after modiying DNS and Sender Policy Framework options - #3 by Ilia , but it is still usable. Could use some love though, yeah, but something like DNSSEC shouldn’t be simply dropped. Still not doing that even for good technical reasons: for a personal domain rather than dropping DNSSEC not working with nsupdate and dynamic IP (trying to end up with some local servers from home on the internet), I rather hooked a direct FO over a few houses between my home servers and the public servers, and transported a static IP.

For the moment yeah, it is stopped for my main domains, but only for convenience because I rebuilt everything; I am doing that every 3-5 years or so. Don’t know why, it is in my blood or something…

Sorry about that but this very annoying bug was fixed quite some time ago.

Hahah, but we still get those emails :slight_smile: and we still have the user options problem :slight_smile:

I’m sorry, which emails and what user options problem?

Sorry Ilia, I don’t have the time to browse your bugtracker all the time. I just stop using it for like 1-2 years and then try again and see if it’s fixed or I write my own Script or something to come around the issue. That’s the big benefit of Virtualmin - that it’s always possible to craft your own little solution around such issues. Cheers.

I am still getting the emails; just a copy&paste from my post here, not write all this down again:

I can confirm some of the weird behavior here. It is really a problem as any action taken in Virtualmin’s “DNS Options”, generates a new DS. So this means, for me at least, that domain is down and have to input the new DS to the register, but for the regular users it is a problem. I guess it shouldn’t happen, not a desired outcome, given that regular users will use that area and in doing so they will break DNS resolution for no reason at all. Plus, if they access VIrtualmin via their domain.name:port I guess they are also locked out of Virtualmin, the only alternative being of course direct IP or the name of the server itself, not very friendly and maybe not known.

What is more interesting is I get a lot of email warnings everyday about all the domains that can’t be signed (it is super to get notified, not about that), but including the ones that shouldn’t have DNSSEC enabled and that don’t have any keys… In fact given that the DNSSEC domains mostly work, I get only emails about the ones that shouldn’t have DNSSC

Maybe there is some setting that can help and is enabled in my case? Any thoughts on how can I get rid of this behavior?

What is the email content exactly that you’re getting?

Is DNSSEC for domains in question enabled? If not, how did you disable it?

The button “DNSSEC signature enabled” is always set to yes and it displays the keys, but with an DS error: Failed to generate DS records : No DNSKEY record found for xyz.ro

The emails I get are about this:
Re-signing of xyz.ro failed : Could not find DNSSEC zone key record

Maybe something to do with the upgrade to Debian 11 again - though it happened on occasion on 10 also, consistently on 2 servers.

Later edit just to be clear, tested again now: I disabled the option > No, seems fine clearing the key fields, nothing in the zone records anyways. Navigating away from the page, when I get back, it is again set to Yes, have the keys again and the DS error, still nothing in the zone. The page is Domain > Server configuration > DNS options

So you see, any save there is biting me in the proverbial a… :slight_smile:

What is the output of:

cat /etc/webmin/bind8/version

Well, that is something I cannot reproduce unfortunately. But I am willing to assist. If you can provide remote access to your instance using Virtualmin Support module, that would be helpful

9.16 - made sure yesterday to visit ALL the server pages on like 6 servers :grinning:

I will look into it, never used that.