|OS type and version:||Ubuntu 20.04.3 / Kernel 5.4.0-90|
|Related products version:||bind 9.16.1-0ubuntu2.9|
I encountered the follow situation multiple times now:
I am using Hurricane Electric (HE, dns.he.net) as secondary DNS for my Virtualmin server. I am also using Let’s Encrypt certificates and DNSSEC.
Now everytime Let’s Encrypt certificates are updated I get an error message about DANE TLSA records not being correct.
I verified them in the DNS config for the specific domain and in the Hurricane Electric DNS panel and they do not fit together. After dig-ing both the primary (Virtualmin) and secondary (HE) I recognized both show the old value (not the one which is in the DNS config) so I restarted bind and now I am seeing both showing the new value for the TLSA records.
I guess there is some reload/restart of bind missing after updating the TLSA records after an Let’s Encrypt certificate is updated, maybe someone can verify that/look into that … or tell me that I am wrong and what I do wrong.