#5555 DNSSEC key re-signing not happening

[Lomedhi]

I have Automatic key re-signing enabled in the BIND DNS Server configuration, but it is not happening. Manual re-signing is working because I have this patch installed. I'm wondering if this issue is related.

I see that when I manually re-sign, dnssec-signzone is run directly, but the cron job runs /etc/webmin/bind8/resign.pl. When I run resign.pl from the command line, there is no output. I don't know if or where it logs, but I'm wondering if it might be running dnssec-signzone without the -u switch like manual re-signing did before the patch.

[Lomedhi]

Okay, I found that I can get output with resign.pl --debug. I just shortened my period between re-signs to force re-signing and all zones were re-signed successfully.

I don't know what's causing the problem, but UptimeRobot keeps telling me occasionally that a site is down. When I check it, the DNSSEC/DANE Validator Firefox extension tells me that DNSSEC is failing. I manually re-sign the zone and then DNSSEC passes and UptimeRobot says the site is up again.

I will add the --debug flag to the cron job and monitor for now.

[Jamie Cameron]

Ok, please let us know what you find out.

[Lomedhi]

I've had this happen again. Sent you a private message with the details. The re-signing itself seems to be fine, but DNSSEC becomes invalid later, and I don't understand why. It happens sporadically with multiple domains on multiple Webmin servers.

[Jamie Cameron]

Looks like this can happen if a domain was backed up and restored, as this will lead to incorrect ownership of the key files. This will be fixed in the next release of Virtualmin.

[Jamie Cameron]

Looks like this can happen if a domain was backed up and restored, as this will lead to incorrect ownership of the key files. This will be fixed in the next release of Virtualmin.

[Lomedhi]

That would make sense. The domains on this server were transferred from
other servers using Transfer Virtual Server in Virtualmin when I
migrated from Vultr to SSD Nodes. That calls Webmin's backup and restore
scripts, right?

On 2022-05-14 00:00, Jamie Cameron wrote:

Looks like this can happen if a domain was backed up and restored, as
this will lead to incorrect ownership of the key files. This will be
fixed in the next release of Virtualmin.

---

[bugs:#5555] https://sourceforge.net/p/webadmin/bugs/5555/ DNSSEC
key re-signing not happening

Status: closed-fixed
Group: 1.990
Created: Mon Apr 11, 2022 04:46 PM UTC by Lomedhi
Last Updated: Sat May 14, 2022 05:59 AM UTC
Owner: nobody

I have Automatic key re-signing enabled in the BIND DNS Server
configuration, but it is not happening. Manual re-signing is working
because I have this patch
https://github.com/webmin/webmin/commit/cef983f4f20e6375de745cfa39dece4dcc166b63
installed. I'm wondering if this issue is related.

I see that when I manually re-sign, |dnssec-signzone| is run directly,
but the cron job runs |/etc/webmin/bind8/resign.pl|. When I run
|resign.pl| from the command line, there is no output. I don't know if
or where it logs, but I'm wondering if it might be running
|dnssec-signzone| without the |-u| switch like manual re-signing did
before the patch.

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/webadmin/bugs/5555/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Jamie Cameron]

Yes, a transfer uses the backup/restore feature, which would have triggered this bug.

[Lomedhi]

Okay, yesterday it happened again, on a different server. I've checked
that there are no .key or .private ownership problems. It looks like it
was associated with a Let's Encrypt renewal. The domain was not due for
re-signing, but RRSIG and NSEC3 records changed. Fixed by manual "Sign
Zone".

Sending you a private message with the details.