CAA records are not compatible with Bind 9.9.5 on Debian 8

Hi, I know Debian 8 is enter in its end of life, but, maybe, to know this can be useful for you.
Virtualmin create a CAA record on DNS when a let's encrypt certificated is renewed. I think it started with Virtualmin 6.09.
That record is created with the following syntax:

@ IN CAA 0 issuewild

But it is only compatible with BIND ≥ 9.9.6, and Debian 8 has BIND 9.9.5.

For BIND < 9.9.6 the syntax is for Legacy Zone File (RFC 3597) IN TYPE257 # 22 000569737375656C657473656E63727970742E6F7267 IN TYPE257 # 18 000569737375657365637469676F2E636F6D

Tested with the following versions:
Debian 8.11
webmin-virtual-server 6.09-3 Pro and 6.09.gpl
webmin 1.942
bind 9.9.5.dfsg-9+deb8u18

Fixed (pending)


Do the older BIND versions completely fail to read the zone file if a CAA record exists? Or do they just skip it..

Bind 9.9.5 completely fails to load the entire zone

15-May-2020 13:51:45.100 /etc/bind/ unknown RR type 'CAA'
15-May-2020 13:51:45.101 zone loading from master file /etc/bind/ failed: unknown class/type
15-May-2020 13:51:45.101 zone not loaded due to errors.

and any record doesn't resolve, the entire zone doesn't work

Fixed (pending)

Ok - the next Virtualmin release won't add CAA records for older BIND releases than 9.9.6.

I have older system with Bind 9.8.1, also having this issue. After let's encrypt certificate is renewed, I have to manually remove CAA record, that was added by Virtualmin 6.09-3 Pro. Hope new Virtualmin version will be reelased soon :)

Virtualmin 6.10 should be out now, and doesn't add CAA records for older BIND versions anymore.