Unable to enable DNSSEC

SYSTEM INFORMATION
OS type and version: Debian 10
Webmin version: 1.981
Virtualmin version: 6.17.gpl-3
Related products version: bind9 - 1:9.11.5.P4+dfsg-5.1+deb10u6

Recently noticed that enabling DNSSEC on a domain through Virtualmin fails in a spectacular fashion, also resetting any modification done to the zone.
Somewhat relevant log lines include:

Nov  3 12:42:01 aardvark named[19607]: zone x.no/IN: loaded serial 2021110303 (DNSSEC signed)
Nov  3 12:42:01 aardvark named[19607]: zone x.no/IN: sending notifies (serial 2021110303)
Nov  3 12:42:01 aardvark named[19607]: client @0x7fcd90547970 123.123.123.123#35405 (x.no): transfer of 'x.no/IN': AXFR-style IXFR started (serial 2021110303)
Nov  3 12:42:01 aardvark named[19607]: client @0x7fcd90547970 123.123.123.123#35405 (x.no): transfer of 'x.no/IN': AXFR-style IXFR ended
Nov  3 12:42:06 aardvark named[19607]: zone x.no/IN: zone serial (2021110301/2021110303) has gone backwards
Nov  3 12:42:06 aardvark named[19607]: zone x.no/IN: loaded serial 2021110301
Nov  3 12:42:06 aardvark named[19607]: zone x.no/IN: sending notifies (serial 2021110301)
Nov  3 12:42:08 aardvark named[19607]: received SIGHUP signal to reload zones

Do let me know what else is needed, but I did enable debug and it doesn’t show much else, apart from the fact that it seems to restart.

It’s worth noting that a domain I have that has DNSSEC enabled since before summer is still working, with resigning being done as expected.
To exclude any “old” issues on this Debian install I also tried on a fresh Ubuntu server with the same issues, and also on a CentOS 8 server just to exclude any weird stuff being pulled in by .deb updates.

Any thoughts this, and hints on how to proceed further?

Thanks,
/Tore

Updating this;

I did a new test with a fresh install of Debian 10 and installed Virtualmin (6.17-3), did the wizard and added a test domain.
As expected, enabling DNSSEC fails:

zone blabla.com/IN: zone serial (2021110901/2021110916) has gone backwards

Then I did a downgrade of webmin-virtual-server to 6.16 and enabling DNSSEC started working!
Disabled and enabled a few times successfully, then upgraded to 6.17 and it broke again.

Looking through the changelogs I can’t see anything that should be relevant to this changing between 6.16 and 6.17, but maybe @Joe or @Ilia knows otherwise?

So for my “production” server, downgrading, enabling DNSSEC and then upgrading again would be a plausible work-around but it does seem rather counter-productive.

Thanks,
/Tore

Hi,

Thanks for the heads up. This question is better to be addressed @Jamie.

1 Like

Just a further update to this, I tried from the command line using ‘virtualmin modify-dns --domain domain.tld --enable-dnssec’ and that works! Don’t know why I didn’t think of that before.
At least I am able to enable it for the remaining domains, but it still would be nice if whatever changed in Virtualmin/Webmin could be fixed so it works from the GUI again also :slight_smile:

Which page in the GUI did you enable DNSSEC on that failed?

Virtualmin → Select domain → Server Configuration → DNS Options → DNSSEC signature enabled.
Are there other places to do it?

Yes, that’s the correct place.

What other error messages are you getting other than “zone serial has gone backwards” ?

No real error message either.
The following snippet is from the moment I click “Save” until it finishes without actually doing anything.

Summary

12-Nov-2021 05:13:31.020 zone_settimer: zone test.tld/IN: enter
12-Nov-2021 05:13:31.020 running
12-Nov-2021 05:13:55.019 zone_timer: managed-keys-zone: enter
12-Nov-2021 05:13:55.019 zone_maintenance: managed-keys-zone: enter
12-Nov-2021 05:13:55.019 zone_dump: managed-keys-zone: enter
12-Nov-2021 05:13:55.019 zone_settimer: managed-keys-zone: enter
12-Nov-2021 05:13:55.019 zone_gotwritehandle: managed-keys-zone: enter
12-Nov-2021 05:13:55.022 dump_done: managed-keys-zone: enter
12-Nov-2021 05:13:55.022 journal file managed-keys.bind.jnw does not exist, creating it
12-Nov-2021 05:13:55.022 managed-keys-zone: dns_journal_compact: success
12-Nov-2021 05:14:23.347 received control channel command ‘freeze test.tld IN’
12-Nov-2021 05:14:24.368 received control channel command ‘freeze test.tld’
12-Nov-2021 05:14:25.378 received control channel command ‘reload test.tld’
12-Nov-2021 05:14:25.378 zone test.tld/IN: starting load
12-Nov-2021 05:14:25.378 zone_loaddone: zone test.tld/IN: enter
12-Nov-2021 05:14:25.378 zone test.tld/IN: number of nodes in database: 8
12-Nov-2021 05:14:25.378 zone test.tld/IN: loaded; checking validity
12-Nov-2021 05:14:25.379 zone test.tld/IN: replacing zone database
12-Nov-2021 05:14:25.379 calling free_rbtdb(test.tld)
12-Nov-2021 05:14:25.379 done free_rbtdb(test.tld)
12-Nov-2021 05:14:25.379 zone_settimer: zone test.tld/IN: enter
12-Nov-2021 05:14:25.379 zone test.tld/IN: loaded serial 2021111201
12-Nov-2021 05:14:25.379 zone_timer: zone test.tld/IN: enter
12-Nov-2021 05:14:25.379 zone_maintenance: zone test.tld/IN: enter
12-Nov-2021 05:14:25.379 zone_settimer: zone test.tld/IN: enter
12-Nov-2021 05:14:26.388 received control channel command ‘thaw test.tld’
12-Nov-2021 05:14:26.388 thawing zone ‘test.tld/IN’: success
12-Nov-2021 05:14:27.409 received control channel command ‘freeze test.tld IN’
12-Nov-2021 05:14:28.428 received control channel command ‘freeze test.tld IN’
12-Nov-2021 05:14:29.760 received control channel command ‘freeze test.tld’
12-Nov-2021 05:14:30.771 received control channel command ‘reload test.tld’
12-Nov-2021 05:14:30.771 zone test.tld/IN: starting load
12-Nov-2021 05:14:30.772 zone_loaddone: zone test.tld/IN: enter
12-Nov-2021 05:14:30.772 zone test.tld/IN: number of nodes in database: 8
12-Nov-2021 05:14:30.772 zone test.tld/IN: loaded; checking validity
12-Nov-2021 05:14:30.772 zone test.tld/IN: replacing zone database
12-Nov-2021 05:14:30.772 calling free_rbtdb(test.tld)
12-Nov-2021 05:14:30.772 done free_rbtdb(test.tld)
12-Nov-2021 05:14:30.772 zone_settimer: zone test.tld/IN: enter
12-Nov-2021 05:14:30.772 zone test.tld/IN: loaded serial 2021111203 (DNSSEC signed)
12-Nov-2021 05:14:30.772 zone_timer: zone test.tld/IN: enter
12-Nov-2021 05:14:30.772 zone_maintenance: zone test.tld/IN: enter
12-Nov-2021 05:14:30.772 zone_settimer: zone test.tld/IN: enter
12-Nov-2021 05:14:31.782 received control channel command ‘thaw test.tld’
12-Nov-2021 05:14:31.782 thawing zone ‘test.tld/IN’: success
12-Nov-2021 05:14:32.794 received control channel command ‘freeze test.tld IN’
12-Nov-2021 05:14:34.009 received control channel command ‘freeze test.tld’
12-Nov-2021 05:14:35.019 received control channel command ‘reload test.tld’
12-Nov-2021 05:14:35.019 zone test.tld/IN: starting load
12-Nov-2021 05:14:35.019 zone_loaddone: zone test.tld/IN: enter
12-Nov-2021 05:14:35.019 zone test.tld/IN: number of nodes in database: 8
12-Nov-2021 05:14:35.019 zone test.tld/IN: loaded; checking validity
12-Nov-2021 05:14:35.020 zone test.tld/IN: zone serial (2021111201/2021111203) has gone backwards
12-Nov-2021 05:14:35.020 zone test.tld/IN: replacing zone database
12-Nov-2021 05:14:35.020 calling free_rbtdb(test.tld)
12-Nov-2021 05:14:35.020 done free_rbtdb(test.tld)
12-Nov-2021 05:14:35.020 zone_settimer: zone test.tld/IN: enter
12-Nov-2021 05:14:35.020 zone test.tld/IN: loaded serial 2021111201
12-Nov-2021 05:14:35.772 zone_timer: zone test.tld/IN: enter
12-Nov-2021 05:14:35.772 zone_maintenance: zone test.tld/IN: enter
12-Nov-2021 05:14:35.772 zone_settimer: zone test.tld/IN: enter
12-Nov-2021 05:14:36.029 received control channel command ‘thaw test.tld’
12-Nov-2021 05:14:36.029 thawing zone ‘test.tld/IN’: success
12-Nov-2021 05:14:37.034 received SIGHUP signal to reload zones
12-Nov-2021 05:14:37.034 loading configuration from ‘/etc/bind/named.conf’
12-Nov-2021 05:14:37.034 reading built-in trust anchors from file ‘/etc/bind/bind.keys’
12-Nov-2021 05:14:37.034 set maximum stack size to 18446744073709551615: success
12-Nov-2021 05:14:37.034 set maximum data size to 18446744073709551615: success
12-Nov-2021 05:14:37.034 set maximum core size to 18446744073709551615: success
12-Nov-2021 05:14:37.034 set maximum open files to 18446744073709551615: success
12-Nov-2021 05:14:37.034 initializing GeoIP Country (IPv4) (type 1) DB
12-Nov-2021 05:14:37.034 GEO-106FREE 20181108 Build
12-Nov-2021 05:14:37.034 initializing GeoIP Country (IPv6) (type 12) DB
12-Nov-2021 05:14:37.034 GEO-106FREE 20181108 Build
12-Nov-2021 05:14:37.034 GeoIP City (IPv4) (type 2) DB not available
12-Nov-2021 05:14:37.034 GeoIP City (IPv4) (type 6) DB not available
12-Nov-2021 05:14:37.034 GeoIP City (IPv6) (type 30) DB not available
12-Nov-2021 05:14:37.034 GeoIP City (IPv6) (type 31) DB not available

If you disable and then re-enable DNSSEC on that page, and then go to Webmin → Webmin Actions Log, does it show any config file changes associated with those actions?

Sent you a screenshot of the entire page in PM.

Thanks, taking a look now …

Ok, I see the cause of this bug now - it will be fixed in the next Virtualmin release.

1 Like

Excellent, thanks for the help. :slight_smile: