Hi,
Recently, SSSHFP records were automatically added to some of my DNS zones. Expected behaviour I believe, as a result of a recent (last month) change to Virtualmin.
Took me a while to notice them and the fact that some of them created records were preventing the modified zones from being loaded by the named service (on Centos 7)
Although not the actual records or hashes the following indicates the records added to one zone. The 3 of 6 records that failed are marked with a [*]
example.com. IN SSHFP 1 1 ce80eacddd4a10eeeb6376ee2ad9c5fc68c0f331
www.example.com. IN SSHFP 1 1 ce80eacddd4a10eeeb6376ee2ad9c5fc68c0f331 [*]
example.com. IN SSHFP 3 1 9aeb1942ebf467c2ed9de8120ecbd9488e12a2a9
www.example.com. IN SSHFP 3 1 9aeb1942ebf467c2ed9de8120ecbd9488e12a2a9 [*]
example.com. IN SSHFP 4 1 7eff4d29259c0f6ce19155d71abb11d418fea50c
www.example.com. IN SSHFP 4 1 7eff4d29259c0f6ce19155d71abb11d418fea50c [*]
The error appears to be:
dns_master_load: /var/named/example.com.hosts:134: www.example.com: CNAME and other data
dns_master_load: /var/named/example.com.hosts:136: www.example.com: CNAME and other data
dns_master_load: /var/named/example.com.hosts:138: www.example.com: CNAME and other data
For now I have removed all 6 entries and the zones load fine as a result but I am concerned that they may reappear in the future. The release notes hinted that SSHFP records get created at the same time now as TLSA records. I don't recall manually creating any new TLSA records recently ( I think that was done last year as part of configuring DNSSEC and probably get refreshed every 3 weeks)
4 of my zones suffered similar issues. Each had 6 SSHFP records added, of which 3 failed Zonechecks.
As they are not entries I am explicitly adding myself I'm at a bit of a loss at what to do ( apart from disabling DNSSEC/TLSA maybe ) . It seems to me that the www SSHFP records should not be being created because 'www' is a CNAME and 'CNAME and other data' is a violation.
I'm running:
Bind 9.9.4-RedHat-9.9.4-38.el7_3.2 Operating system: CentOS Linux 7.3.1611 Kernel and CPU: Linux 3.10.0-514.6.1.el7.x86_64 on x86_64
Suggestions ?
J.
Comments
Submitted by JamieCameron on Sun, 03/26/2017 - 11:29 Comment #1
Did you make some change to the default template that makes
wwwa CNAME record? Because by default its just an IP address.Submitted by ktyak on Sun, 03/26/2017 - 12:29 Comment #2
Not that I can recall, but then most of the virtual servers were imports from cPanel based sources that had been migrated several times over the years. I think I only have 1 virtual server, created about 2 years ago, freshly on this virtualmin installation. It is quite possible that I mapped ftp/www manually using CNAMES because thats what the other virtual servers did.
I'm not clear either on why SSHFP records are being created for 'www' ( is it related to https being enabled ? )
Submitted by ktyak on Sun, 03/26/2017 - 19:18 Comment #3
Ok, I manually changed the CNAMEs to A's and its ok but I'm surprised that TLSA records were created for the CNAMES.
Is using CNAMEs considerd bad practice ? e.g. www -> domain-name etc
Submitted by JamieCameron on Sun, 03/26/2017 - 23:22 Comment #4
This is really a Virtualmin bug - it shouldn't create records that clash with CNAMEs. I will fix this in the next release.
Submitted by JamieCameron on Sun, 03/26/2017 - 23:23 Comment #5
Submitted by ktyak on Wed, 03/29/2017 - 13:19 Comment #6
thank you
Submitted by IssueBot on Wed, 04/12/2017 - 13:30 Comment #7
Automatically closed - issue fixed for 2 weeks with no activity.