RFC1035 TTL semantics dnssec-signzone: fatal: An NSEC3 chain exists with a different salt. Use -u to update it.

Enabled DNSSEC, was working fine. Went to change an IP address one of the DNS records. After I hit submit I get the following message.

Failed to save record : DNSSEC signing after records change failed : dnssec-signzone: warning: /var/named/XYZ.com.hosts.signed:96: using RFC1035 TTL semantics dnssec-signzone: fatal: An NSEC3 chain exists with a different salt. Use -u to update it.

Did some searches online and this appears to have been an issue that has been around since 2017? What do I need to do to fix this, I am unable to resign the zone.

Thanks

Status: 
Active

Comments

That's an unusual error - did you perhaps upgrade anything on your system recently, like BIND?

As a work-around, you could try disabling and then re-enabling DNSSEC for this domain. This can be done by SSHing in as root and running virtualmin modify-dns --domain example.com --disable-dnssec ; virtualmin modify-dns --domain example.com --enable-dnssec