Hi,
I have 5 domains on my virtualmin installation. I used the "Setup DNSSEC Key" facility per Virtualmin server and put the DS info into the parent zone registrars.
When BIND starts, it only recognises 2 of the domains as being (DNSSEC signed) as per the system logs. The other 3 are not so marked in the system logs.
The 2 domains that are recognised by named were the only 2 created fresh in virtualmin recently, the other 3 were migrated years ago from cPanel installs so I'm wondering if there is something extra done as part of the dnssec being enabled in the system default templates for new virtual servers that might not be done for old servers that just had dnssec enabled via the Setup DNSSEC Key facility?
All of the virtual servers have DNSSEC keys displayed in webmin/virtualmin and there are RRSIG entries in the zonefiles so the autogeneration stuff is working but for some reason only 2 are being noticed as DNSSEC signed on named restart.
Any suggestions ?
Thank you
Jason
Comments
Submitted by JamieCameron on Wed, 03/29/2017 - 19:12 Comment #1
Does it help if you disable and then re-enable DNSSEC for one of the problem domains, at Webmin -> Servers -> BIND DNS Server?
Submitted by ktyak on Thu, 03/30/2017 - 11:12 Comment #2
Hi Jamie,
I tried removing the DNSSEC Key using the "Remove Key" option under "Webmin -> Servers -> BIND DNS Server -> zone -> Setup DNSSEC Key" and then generating a new one but still the named process doesn't seem to recognise it as DNSSEC Signed and is not serving the dnssec records. Whereas for the 2 it does recognise and reports as signed in the system logs it does.
Submitted by ktyak on Thu, 03/30/2017 - 13:16 Comment #3
Here's a snippet of the System log.
Mar 30 20:01:57 svr1 named[3139]: managed-keys-zone: loaded serial 269Mar 30 20:01:57 svr1 named[3139]: zone 0.in-addr.arpa/IN: loaded serial 1
Mar 30 20:01:57 svr1 named[3139]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 2
Mar 30 20:01:57 svr1 named[3139]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 2
Mar 30 20:01:57 svr1 named[3139]: zone localhost.localdomain/IN: loaded serial 2
Mar 30 20:01:57 svr1 named[3139]: zone localhost/IN: loaded serial 2
Mar 30 20:01:57 svr1 named[3139]: zone working-signed-example.email/IN: loaded serial 2017032603 (DNSSEC signed)
Mar 30 20:01:57 svr1 named[3139]: zone working-signed-example2.email/IN: loaded serial 2017032607 (DNSSEC signed)
Mar 30 20:01:57 svr1 named[3139]: zone failing-example1.co.uk/IN: loaded serial 2017033014
Mar 30 20:01:57 svr1 named[3139]: zone failing-example2.com/IN: loaded serial 2017032608
Mar 30 20:01:57 svr1 named[3139]: zone not-signed.ws/IN: loaded serial 2017032600
Mar 30 20:01:57 svr1 named[3139]: zone failing-example3.com/IN: loaded serial 2017032605
Mar 30 20:01:57 svr1 named[3139]: all zones loaded
I've changed the names but failing-example1.co.uk and the two others (both .com) are also signed but not being detected as such. I have removed and then regenerated the key for failing-example1.co.uk a couple of times. I can't see any errors being reported in the webmin/miniserv/system logs when I do removal or resigning. Also no error is reported when applying the zones or restarting bind.
If you would like the bind .hosts files i'm happy to share them but want to check on who can see 'added' files ? [ so do i need to obscure the domain names in the files ]
Submitted by ktyak on Thu, 03/30/2017 - 18:55 Comment #4
Hi Jamie,
I found out why the 3 zones were not being handled properly. There is a bug in bind8-lib.pl.
Around line 3400 you had this:
# Merge records back into original file, by deleting all NSEC and RRSIG records# and then copying over
for(my $i=$#recs; $i>=0; $i--) {
if ($recs[$i]->{'type'} eq 'NSEC' ||
$recs[$i]->{'type'} eq 'NSEC3' ||
$recs[$i]->{'type'} eq 'RRSIG') {
&delete_record($fn, $recs[$i]);
}
}
my @signedrecs = &read_zone_file($fn.".webmin-signed", $dom);
foreach my $r (@signedrecs) {
if ($r->{'type'} eq 'NSEC' ||
$r->{'type'} eq 'NSEC3' ||
$r->{'type'} eq 'RRSIG') {
&create_record($fn, $r->{'name'}, $r->{'ttl'}, $r->{'class'},
$r->{'type'}, join(" ", @{$r->{'values'}}),
$r->{'comment'});
}
}
and it was not handling NSEC3PARAM Resource Records. So depending on which Algorithm was chosen for DNSSEC it was creating signed zone files that worked for some algorithms and not for others.
I added $recs[$i]->{'type'} eq 'NSEC3PARAM' || to both loops
# Merge records back into original file, by deleting all NSEC and RRSIG records# and then copying over
for(my $i=$#recs; $i>=0; $i--) {
if ($recs[$i]->{'type'} eq 'NSEC' ||
$recs[$i]->{'type'} eq 'NSEC3' ||
$recs[$i]->{'type'} eq 'NSEC3PARAM' ||
$recs[$i]->{'type'} eq 'RRSIG') {
&delete_record($fn, $recs[$i]);
}
}
my @signedrecs = &read_zone_file($fn.".webmin-signed", $dom);
foreach my $r (@signedrecs) {
if ($r->{'type'} eq 'NSEC' ||
$r->{'type'} eq 'NSEC3' ||
$r->{'type'} eq 'NSEC3PARAM' ||
$r->{'type'} eq 'RRSIG') {
&create_record($fn, $r->{'name'}, $r->{'ttl'}, $r->{'class'},
$r->{'type'}, join(" ", @{$r->{'values'}}),
$r->{'comment'});
}
}
and it seems to have fixed the problem after I resigned the zones and restarted bind. All 5 zones are now recognised as DNSSEC Signed
Submitted by ktyak on Thu, 03/30/2017 - 18:47 Comment #5
Submitted by JamieCameron on Thu, 03/30/2017 - 20:09 Comment #6
Thanks - this fix will be included in the next release!
Submitted by JamieCameron on Thu, 03/30/2017 - 20:09 Comment #7
Submitted by IssueBot on Thu, 04/13/2017 - 20:11 Comment #8
Automatically closed - issue fixed for 2 weeks with no activity.