DNSSEC Zone keys are always the same

[shoulders]

SYSTEM INFORMATION
OS type and version	Ubuntu Linux 22.04.4
Webmin version	2.111
Usermin version	2.010
Virtualmin version	7.20.2
Theme version	21.10
Package updates	5 package updates are available

background

I am trying to figure out why I have a chain of trust issue on my primary domain sexample.com, not my system hostname server.example.com.

the issue

I wanted to regenerate my DNS signatures and then upload the new one to my registrar to see if this was the issue so on my example.com domain so I did the following;

• went to Virtualmin --> DNS Settings --> DNS Options
• I changesd DNSSEC signature enabled from yes to no and saved the changed
• I changesd DNSSEC signature enabled from no to ues and saved the changed

I expected this to change the private and public keys etc in DNSSEC zone keys, but the value were exactly the same afterwards

proposed solution

add a regenerate button with a warning saying that you will need to make changes upstream at your registrar to prevent your domain being flagg as untrusted etc.... or something simimiliar to that

additional

If I manually add an A record eg ns1.example.com does this trigger the DNSSEC signatures for it to be created?

[jcameron]

This is actually expected behavior - turning DNSSEC off and on again intentionally doesn't re-generate the key, since this would force users to update the records with their registrar. There is a separate button to create a new key though.

[shoulders]

This is actually expected behaviour - turning DNSSEC off and on again intentionally doesn't re-generate the key, since this would force users to update the records with their registrar.

I thought so

There is a separate button to create a new key though.

• Where is this button? I did have a look 😄
• Sometimes while diagnosing an error, it could be useful to regenerate the key and give the registrar new information or perhaps you thing your server has been compromised.

p.s. I am on authentic theme

[jcameron]

It's at Webmin -> Servers -> BIND DNS Server -> whatever.com -> Setup DNSSEC Key -> Remove Key

[shoulders]

We have 2 options here:

• Add a message saying that if the user wants the key regenerating or the algorithm changing then they need to contact the server administrator (easy option)
• Virtualmin DNSSEC options should have parity with Webmin -> Servers -> BIND DNS Server -> whatever.com -> Setup DNSSEC Key -> Remove Key (adds more features and complexity)

@jcameron What are your thoughts

[iliajie]

Why re-generate the key? It should never be necessary.

[shoulders]

My thoughts

• if your server is compromised
  • dodgy staff nicks the keys
  • server is hacked
• you have some legal thing where the keys need regenerating (i have no evidence of this)
• the virtual server is moved to another server
• issues upstream require you to give a new keys so the providers servers push the changes
  • I have not had experience of this but I was going to do this when I had issues with my DNSSEC setup (p.s. split DNS and DNSSEC don't mix 😄

[iliajie]

I think this is a niche feature for Virtualmin to have.

[jcameron]

Yeah I kind of agree with Ilia here, it's a niche feature and also already available to the root user if really really needed.

[shoulders]

Update Help text

If this is a niche feature could the help be updated instead of the buttons.

• The this page does more that SPF so maybe a small re-ordering of the content to incluse General DNS, SPF, DNSSEC sections
• add a DNNSEC section with
  • Add a message saying that if the user wants the key regenerating or the algorithm changing then they need to contact the server administrator (easy option)
• define the SPF section

additional

the actual layout of the options on the page are not correctly sorted anymore ie DNS and Sender Policy Framework options should be split into General options, Sender Policy Framework Other Email, DNSSEC

[iliajie]

Thanks, I'll take a look at this later.