Possible BIND subdomain MX validation logic bug? ("Error: This domain has email enabled, but none of the MX records point to it.")

Virtualmin
1

(Reposting per @Joe’s suggestion.)

I’ve encountered an odd situation for a subdomain hosted on a virtualmin server where this same error is displayed.

This subdomain is hosted on a virtualmin server, and BIND on the server is the primary just for sub.domain.tld . As you can see, I’ve configured nameservers for the domain to delegate to this server’s BIND just for this hosted subdomain. This configuration works as expected.

Here’s my DNS zone for sub.domain.tld on the Virtualmin server:

$ttl 38400
sub.domain.tld.	IN	SOA	ns1.sub.domain.tld dnsadmin.domain.tld. (
			1577990093
			3M
			3600
			604800
			38400 )

sub.domain.tld.		IN	NS	ns1.sub.domain.tld.
sub.domain.tld.		IN	NS	ns2.otherdnsprovider.tld. ; the glue record

sub.domain.tld.		IN	A	10.10.0.1
ns1.sub.domain.tld.	IN	A	10.10.0.1
sub.domain.tld.		IN	MX	5 mail.sub.domain.tld.
mail.sub.domain.tld.	IN	A	10.10.0.1

localhost.sub.domain.tld.	IN	A	127.0.0.1
webmail.sub.domain.tld.	IN	A	10.10.0.1
admin.sub.domain.tld.	IN	A	10.10.0.1

sub.domain.tld.	IN	TXT	"v=spf1 a mx a:sub.domain.tld ip4:10.10.0.1 -all"

; https://www.zytrax.com/books/dns/ch9/delegate.html
; https://www.zytrax.com/books/dns/ch8/origin.html

@	IN	CAA	0 issuewild "letsencrypt.org"
@	IN	CAA	0 issuewild "sectigo.com"
@	IN	CAA	0 iodef "mailto:dnsadmin@domain.tld"

Originally I created the record manually in webmin, then later added the web site. I did not create the DNS zone when I set up the virtual site, instead leaving the existing minimal zonefile in place, then I executed the virtualmin enable-feature --domain sub.domain.tld --dns --associate command to allow Virtualmin to control the existing zone.

After that I added some of the other required records, as you can see above.

I’ve tried changing the order for the A and MX records, I’ve tried changing to relative records (mail.sub instead of a FQDN), no change. To me this looks like a correct and complete zone.

Is the Virtualmin record validation expecting an MX record to also be present for the ‘root’ domain.tld domain? If so that’ll never happen and isn’t correct; only the subdomain’s DNS records are hosted on the virtualmin server.

2

I’m not actually sure what the problem is here, but I can clarify a couple of points you’ve asked about:

It is not expecting an MX record for domains Virtualmin isn’t responsible for (e.g. domain.tld in this scenario). Virtualmin doesn’t think about domains that way; they’re both just names. domain.tld is a completely different name from sub.domain.tld. They could both be hosted by the Virtualmin server, and could (or not) have the same owner. But they aren’t the same, according to Virtualmin (nor should they be).

Order of records also doesn’t matter to Virtualmin (or BIND), in general (though there are some parts that I think need to be in order, the records aren’t among them, AFAIK). You don’t need to try to massage the order of records into something Virtualmin will recognize.

Can you run named-checkconf and/or named-checkzone against your config and zone file? I don’t see anything wrong, but the machine might catch something I’m missing.

3

Nope, checkconf was fine and checkzone returned an OK! Weird…