Submitted by fesoto on Thu, 07/02/2020 - 12:19 Pro Licensee
Enabled DNSSEC, was working fine. Went to change an IP address one of the DNS records. After I hit submit I get the following message.
Failed to save record : DNSSEC signing after records change failed : dnssec-signzone: warning: /var/named/XYZ.com.hosts.signed:96: using RFC1035 TTL semantics dnssec-signzone: fatal: An NSEC3 chain exists with a different salt. Use -u to update it.
Did some searches online and this appears to have been an issue that has been around since 2017? What do I need to do to fix this, I am unable to resign the zone.
Thanks
Status:
Active
Comments
Submitted by JamieCameron on Fri, 07/03/2020 - 15:23 Comment #1
That's an unusual error - did you perhaps upgrade anything on your system recently, like BIND?
As a work-around, you could try disabling and then re-enabling DNSSEC for this domain. This can be done by SSHing in as
root
and runningvirtualmin modify-dns --domain example.com --disable-dnssec ; virtualmin modify-dns --domain example.com --enable-dnssec