webmin: DNSSEC SOA expired. Webmin should renew prior to expiration date.
The automatic DNS checker tool on dnsstuff.com has uncovered a bug.
Isn’t the webmin code supposed to check for soon to be expired DNSSEC SOA records for hosted domains, and renew them when the current time is less than X hours before expiration time of the record?
FAIL
DNSSEC SOA record date check
DNSSEC SOA date has expired. This is bad because any signed data is now considered Bogus (RFC4033 section 5) and cannot be validated (RFC4641 section 4.1.1).
ns1.mydomain.com. has an expiration date of 20161207081119 | year=2016 month=12 day=07
ns2.mydomain.com. has an expiration date of 20161207081119 | year=2016 month=12 day=07
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 40
Commits related to this issue
- Give DNSSEC key files the right ownership https://github.com/webmin/webmin/issues/471 — committed to webmin/webmin by jcameron 7 years ago
- Show a warning about DNSSEC expired domains https://github.com/webmin/webmin/issues/471 — committed to webmin/webmin by jcameron 7 years ago
Ok, in the next Webmin release, expired DNSSEC domain signatures will display a warning on Webmin’s system information page.
Yes a warning would be a drastic improvement.
I can’t think of a single scenario where you wouldn’t want to know that one of the domains hosted on your server is no longer accessible, neither by email, nor by web, nor by ftp, from the vast majority of internet DNS servers, which drop domains (“NXDOMAIN Non existent domain” is the precise error they return) that are carrying an invalid or expired secure signature.
Even worse, if you’re running an authoritative DNS server on wembin or virtualmin, and ITS DNSSEC records expire before renewal, then it and all of the domains it’s responsible for, could potentially become inaccessible, and only because the records weren’t re-signed automatically like they should’ve been. Good thing BIND 9.9+ has the built in feature to automatically sign and re-sign of all of the DNSSEC records. It’s a daemon so it’s always running so it’s in the position to do this without fail.
We could add a warning for DNS zones whose signing has expired, similar to what’s done for webserver SSL certs.
The scary part of this bug was, the end result of expired invalid DNSSEC information in webmin’s DNS, was to take email and websites offline, without any notification to the system admin.
Maybe webmin/virtualmin could add a DNSSEC domain health page, showing all hostnames hosted on the system, and the current validity expiration status of each hostname’s DNSSEC info. Green light if the hostname has a chain of valid signatures up to the root and is therefore resolving on the internet / Red light if not, with text status explaining where the chain is broken, and buttons to renew all or renew individual crypto signatures within the system’s ability to renew, obviously it may not be able to renew the DS records at the registrar, although there’s a new protocol which does allow that to be automated by the system and no longer have to have the user copy paste their DS keys to the registrar.
@swelljoe I am updating to the latest, and see if that resolves issue(s). Knock on wood…
@jcameron, is the re-signing done via cron or internal to webmin? (I don’t see any cron entries that would do this)
My goal here is just to prevent Google public DNS from doing a SERVFAIL on the domain if zone is expired or invalid. I found that several major providers are pointing their broadband customers to Google DNS for resolution.
I am putting a link to the article from Google for future folks researching this problem: https://developers.google.com/speed/public-dns/docs/troubleshooting
I’ll put this on my TODO list to investigate implementation - it’s not an unreasonable idea.
OK, the current 1.831 release of Webmin should fix the resign.pl problem where it can fail if --debug is not set. And the next release will fix the problem of key files not having the right ownership for BIND to read.
Ok, I will look into this and update this bug once I have a fix…