#5552 Fatal error signing DNS zone

[Lomedhi]

When Webmin attempts to re-sign a zone after records are modified, it produces this error and the operation fails:

dnssec-signzone: fatal: Zone contains NSEC records. Use -u to update to NSEC3.

This has been confirmed by others on the Virtualmin forums. We have worked around the issue by downgrading to Webmin 1.984.

[Jamie Cameron]

I wonder if this is due to this change : https://github.com/webmin/webmin/commit/0d6b65531465a5602fa7b1d217a981f7d05122bb

Do you happen to know what algorithm is being used for DNSSEC signing in this zone?

[Lomedhi]

I'm using ECDSAP384SHA384. Not sure if the others who have encountered the issue are using the same.

[Jamie Cameron]

Ah .. so in that patch, we changed from NSEC to NSEC3 when using ECDSAP384SHA384 (among others). It seems like the correct fix is to use the -u flag to update the record type..

If you can, try applying this patch and see if it helps : https://github.com/webmin/webmin/commit/cef983f4f20e6375de745cfa39dece4dcc166b63

[Lomedhi]

Yes, that worked for me.

[Jamie Cameron]

Excellent! This will be in the next Webmin release ..