Hi,
I was trying to change DNS record of multiple domains at once via webmin but when I started the process it returned that the key has expired. I regenerated the keys from the Virtualmin DomainKeys section but that doesn't do anything. The keys and zone content remained the same with no change whatsoever. Then I've decided to completely remove DNSSEC thinking that this will also remove all signs of DNSSEC keys within the zone files. However nothing like that happened. Even though the process completed successfully there are still RRSIG and other records in the zone files and still got the same error when I try to change records - key has expired. Now to the point. How should I completely remove DNSSEC from all the zone files and/or regenerate the zone files completely without any signatures? How can I regenerate the singing keys for the zones?
Regards, Iliyan
Comments
Submitted by JamieCameron on Fri, 04/10/2015 - 19:30 Comment #1
You should be able to disable DNSSEC for a domain at Webmin -> Servers -> BIND DNS Server, which will remove all DNSSEC-related records. Which records are leftover when you try this?
Submitted by vutoff on Mon, 04/20/2015 - 01:00 Comment #2
Hi Jamie,
Thanks for you answer. Unfortunately that didn't help either. The records still existing in the zone file are NSEC and RRSIG.
Submitted by vutoff on Mon, 04/20/2015 - 01:15 Comment #3
A quick update. I was managed to remove DNSSEC keys but only if I update the domains one by one. There's no bulk remove the dnssec keys. And when you have several hundreds domains it's kind a time consuming operation. So is there a way to add/remove dnssec keys in bulk?
Submitted by JamieCameron on Tue, 04/21/2015 - 00:02 Comment #4
On which page in Virtualmin did you remove the DNSSEC keys for an individual domain?
Submitted by vutoff on Tue, 04/21/2015 - 08:39 Comment #5
Not in Virtualmin but in Webmin->Servers->BIND DNS Server Then choose a single domain click on "Setup DNS Keys" and then push the "Remove key" button. That's it. This removes all the signs of DNS key in the zone file.
Submitted by JamieCameron on Tue, 04/21/2015 - 21:55 Comment #6
Ok - there is no way to perform mass DNSSEC updates in Virtualmin yet, but I will look into adding it.
Submitted by JamieCameron on Thu, 04/23/2015 - 01:01 Comment #7
The 4.18 release of Virtualmin will support using it's
modify-dnsAPI command to remove DNSSEC for multiple domains at once.Submitted by vutoff on Thu, 04/23/2015 - 01:02 Comment #8
This is great, Jamie. Thanks. When would the new version be available?
Submitted by JamieCameron on Thu, 04/23/2015 - 18:55 Comment #9
This just missed the cut for the 4.17 release, so it could be several weeks. But let me know if you'd like to get a pre-release version.
Submitted by vutoff on Fri, 04/24/2015 - 00:58 Comment #10
That would be great. Thanks.
Submitted by JamieCameron on Sat, 04/25/2015 - 00:55 Comment #11
Do you have the GPL or pro version, and on which Linux distribution?
Submitted by Issues on Sat, 05/09/2015 - 00:56 Comment #12
Automatically closed -- issue fixed for 2 weeks with no activity.
Submitted by vutoff on Sun, 05/10/2015 - 02:19 Comment #13
I have Virtualmin GPL with Cloudmin Pro running on Debian 7.