We stopped using DNSSEC with Virtualmin because of this bug but also other bugs with DNSSEC. For example you cannot disable DNSSEC from within the UI (only via console) as described here:
Also when you change for example an SPF setting or anything else within the “DNS options” Virtualmin generates completely new DNSSEC keys which need to be entered in the registrar again causing downtime of the domain and other issues. Not sure if it has to be like that to be honest but it’s really annoying. This needs to be better. As it is now it’s just impractical and the risk for something to break is too big.
I do not agree, not completely. It has some quirks as I also posted here DNSSEC keys changed after modiying DNS and Sender Policy Framework options - #3 by Ilia , but it is still usable. Could use some love though, yeah, but something like DNSSEC shouldn’t be simply dropped. Still not doing that even for good technical reasons: for a personal domain rather than dropping DNSSEC not working with nsupdate and dynamic IP (trying to end up with some local servers from home on the internet), I rather hooked a direct FO over a few houses between my home servers and the public servers, and transported a static IP.
For the moment yeah, it is stopped for my main domains, but only for convenience because I rebuilt everything; I am doing that every 3-5 years or so. Don’t know why, it is in my blood or something…
Sorry Ilia, I don’t have the time to browse your bugtracker all the time. I just stop using it for like 1-2 years and then try again and see if it’s fixed or I write my own Script or something to come around the issue. That’s the big benefit of Virtualmin - that it’s always possible to craft your own little solution around such issues. Cheers.
I am still getting the emails; just a copy&paste from my post here, not write all this down again:
I can confirm some of the weird behavior here. It is really a problem as any action taken in Virtualmin’s “DNS Options”, generates a new DS. So this means, for me at least, that domain is down and have to input the new DS to the register, but for the regular users it is a problem. I guess it shouldn’t happen, not a desired outcome, given that regular users will use that area and in doing so they will break DNS resolution for no reason at all. Plus, if they access VIrtualmin via their domain.name:port I guess they are also locked out of Virtualmin, the only alternative being of course direct IP or the name of the server itself, not very friendly and maybe not known.
What is more interesting is I get a lot of email warnings everyday about all the domains that can’t be signed (it is super to get notified, not about that), but including the ones that shouldn’t have DNSSEC enabled and that don’t have any keys… In fact given that the DNSSEC domains mostly work, I get only emails about the ones that shouldn’t have DNSSC
Maybe there is some setting that can help and is enabled in my case? Any thoughts on how can I get rid of this behavior?
The button “DNSSEC signature enabled” is always set to yes and it displays the keys, but with an DS error: Failed to generate DS records : No DNSKEY record found for xyz.ro
The emails I get are about this:
Re-signing of xyz.ro failed : Could not find DNSSEC zone key record
Maybe something to do with the upgrade to Debian 11 again - though it happened on occasion on 10 also, consistently on 2 servers.
Later edit just to be clear, tested again now: I disabled the option > No, seems fine clearing the key fields, nothing in the zone records anyways. Navigating away from the page, when I get back, it is again set to Yes, have the keys again and the DS error, still nothing in the zone. The page is Domain > Server configuration > DNS options
So you see, any save there is biting me in the proverbial a…