No RRSIG correctly signed the SOA RRset


After having noticed a problem when renewing SLL certificates with Let’s Encrypt, I realised that I had an incomprehensible bug with DNSSEC (which crashes the let’s encrypt challenge).

This bug only appears on a handful of domain names (3 out of 22).

The errors seem to indicate a signature inconsistency at the SOA level, but that I clearly don’t understand:

• “Trying to verify SOA RRset with signature 36504 gave error ‘Bogus DNSSEC signature’.”
• “No RRSIG correctly signed the SOA RRset.”
• “Nameserver responded with an RRSIG which can not be verified with corresponding DNSKEY (with keytag 36504).”
• “Nameserver responded with an RRSIG which can not be verified with corresponding DNSKEY (with keytag 36504).”

Out of ideas, on a non critical domain, I even deleted the DNSSEC keys from my zone, the DS Record at my registrar, deleted the domain on my DNS Slave service, checked the zone file (which has no errors, is very trivial and is identical to other non problematic domains), put my slave back, recreated my DNSSEC keys and put my DS keys back at my registrar (without forgetting to restart bind when necessary).

The weird thing is that after this procedure, the problem seems to be solved for a few minutes, I can recreate my SSL certificates without any problem and the diagnostic tools don’t give me any error.

Then, again, the same error, as if something was wrong with the propagation (or else, when trying to create a new SSL certificate).

In short, I’m a bit lost, especially since this problem seems recent, at least since I did an update containing only Usermin (1.812 → 1.823), Webmin (1.962 → 1.973) and Webmin-virtual-server (6.14.gpl → 6.15.gpl), I receive every hour emails from the server telling me that the renewal has failed

If you have any ideas, I’m realy interested!

• DNSViz Results: | DNSViz
• ZoneMaster Results: Zonemaster
• Let’s Debug (http-01) Results: Let's Debug
• Let’s Debug (dns-01) Results: Let's Debug

OK, it’s a Virtualmin bug!

Let’s take the example of, when I create its SSL certificate, no problem, it works.

But as soon as I want to create the certificate of a sub-server (for example, the certificate refuses to be generated, indicating the error at the SOA level, which is also logically found on

To correct the problem, I have to resign the zone manually.

I guess that in the virtualmin script, when I try to create a sub-domain, it writes the challenge key for the zone, but does not re-sign it before launching the challenge, which leads to the error.

Thanks for the tip, I’ll try to make a post on the virtualmin forum to report the bug.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.