Fatal: Zone contains NSEC records

When I add a new DNS record, I got the following DNSSEC error:

Failed to save DNS record : Record was not fully saved : DNSSEC signing failed : DNSSEC signing after records change failed : dnssec-signzone: warning: addnode: NSEC node already exists dnssec-signzone: warning: addnode: NSEC node already exists dnssec-signzone: fatal: Zone contains NSEC records. Use -u to update to NSEC3.

The record is added, but DNSSEC does not work. Any tips how to fix this?

OS type and version CentOS-7
Webmin version 1.990
Virtualmin version 6.17 Pro
Related packages bind-9.11.4-26.P2.el7_9.9.x86_64

I have downgraded webmin to version 1.984, this version is working fine and has no errors.

I have exactly the same issue with Webmin 1.990 (on Ubuntu 20.04 latest).

Downgrading to 1.984 also fixed the issue too. Thank you @kgit for sharing your solution! really saved my day!

@Joe Is this a regression in Webmin 1.990 ?

Note: Since the upgrade to 1.990, we also experienced some SASL IMAP login authentication errors (that triggered a ban) from one of our IP addresses, but it may be unrelated to webmin and version upgrade, just wanted to inform here while writing about a regression. We will now monitor with 1.983. Any clues ?

EDIT: Never mind, figured it out.

How do you downgrade?

I did it in aptitude, selecting webmin, then hitting return, going down to the version to downgrade to, then hit + and 2 times g.

However, since then I need to be careful to not automatically re-upgrade as I don’t want to fix the version forever to the downgraded version.

apt-mark hold webmin

will then keep it (until unholding it) at that version.

But I want to upgrade to next one that hopefully fixes this big issue ( @Joe @Jamie ?)

1 Like

Same problem, Ubuntu.

You can downgrade with - sudo apt install webmin=1.984 -y --allow-downgrades

Or use: apt policy webmin - if you’re wanting to roll back further to see other available packages.

I’m not sure if it’s related or not, but the 1.990 update may have done more damage to BIND than just the resigning of DNSSEC records?

Just discovered that you can do this instead of having to manually keep track of when the next version comes out and unholding it:

aptitude forbid-version webmin=1.990
1 Like

Feature suggestion: If packages are deselected within the update menu, they should remain this way, or at least have the option to omit in future?

The 1.990 update either 80% broke BIND or I had an issue with DNS poisoning too, the later’s probably more likely.

aptitude forbid-version webmin=1.990

Cool! Nice! Thank you! Just a note: It works fine with `aptitude`, but not with `apt upgrade` that doesn't take the forbid-version setting into account.
1 Like

Ah, thanks. This was a good intro to aptitude for me. I think I’ll continue to use it.

This issue has been reported as Webmin bug #5552.

FYI, there is a fix for this issue in the Webmin bug Webmin / Bugs / #5552 Fatal error signing DNS zone


This alone isn’t enough to break BIND DNS altogether right, it would only effect DNSSEC chain validation?

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.