Fatal: Zone contains NSEC records

kgit · March 7, 2022, 6:03pm

When I add a new DNS record, I got the following DNSSEC error:

Failed to save DNS record : Record was not fully saved : DNSSEC signing failed : DNSSEC signing after records change failed : dnssec-signzone: warning: addnode: NSEC node already exists dnssec-signzone: warning: addnode: NSEC node already exists dnssec-signzone: fatal: Zone contains NSEC records. Use -u to update to NSEC3.

The record is added, but DNSSEC does not work. Any tips how to fix this?

SYSTEM INFORMATION
OS type and version	CentOS-7
Webmin version	1.990
Virtualmin version	6.17 Pro
Related packages	bind-9.11.4-26.P2.el7_9.9.x86_64

kgit · March 7, 2022, 8:36pm

I have downgraded webmin to version 1.984, this version is working fine and has no errors.

beat · March 8, 2022, 12:11am

I have exactly the same issue with Webmin 1.990 (on Ubuntu 20.04 latest).

Downgrading to 1.984 also fixed the issue too. Thank you @kgit for sharing your solution! really saved my day!

@Joe Is this a regression in Webmin 1.990 ?

Note: Since the upgrade to 1.990, we also experienced some SASL IMAP login authentication errors (that triggered a ban) from one of our IP addresses, but it may be unrelated to webmin and version upgrade, just wanted to inform here while writing about a regression. We will now monitor with 1.983. Any clues ?

keenmouse · March 9, 2022, 8:20pm

EDIT: Never mind, figured it out.

How do you downgrade?

beat · March 9, 2022, 8:48pm

I did it in aptitude, selecting webmin, then hitting return, going down to the version to downgrade to, then hit + and 2 times g.

However, since then I need to be careful to not automatically re-upgrade as I don’t want to fix the version forever to the downgraded version.

apt-mark hold webmin

will then keep it (until unholding it) at that version.

But I want to upgrade to next one that hopefully fixes this big issue ( @Joe @Jamie ?)

1cloud · March 10, 2022, 12:37pm

Same problem, Ubuntu.

You can downgrade with - sudo apt install webmin=1.984 -y --allow-downgrades

Or use: apt policy webmin - if you’re wanting to roll back further to see other available packages.

I’m not sure if it’s related or not, but the 1.990 update may have done more damage to BIND than just the resigning of DNSSEC records?

keenmouse · March 10, 2022, 5:24pm

Just discovered that you can do this instead of having to manually keep track of when the next version comes out and unholding it:

aptitude forbid-version webmin=1.990

1cloud · March 10, 2022, 6:08pm

Feature suggestion: If packages are deselected within the update menu, they should remain this way, or at least have the option to omit in future?

1cloud · March 10, 2022, 6:40pm

The 1.990 update either 80% broke BIND or I had an issue with DNS poisoning too, the later’s probably more likely.

beat · March 10, 2022, 6:49pm

aptitude forbid-version webmin=1.990


Cool! Nice! Thank you! Just a note: It works fine with `aptitude`, but not with `apt upgrade` that doesn't take the forbid-version setting into account.

keenmouse · March 10, 2022, 7:50pm

Ah, thanks. This was a good intro to aptitude for me. I think I’ll continue to use it.

keenmouse · March 11, 2022, 6:29pm

This issue has been reported as Webmin bug #5552.

Jamie · March 11, 2022, 7:48pm

FYI, there is a fix for this issue in the Webmin bug Webmin / Bugs / #5552 Fatal error signing DNS zone

1cloud · March 11, 2022, 8:53pm

This alone isn’t enough to break BIND DNS altogether right, it would only effect DNSSEC chain validation?

system · March 19, 2022, 8:53pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.