/etc/named.local not updating after creating new zone

From root, Installed ISPconfig with: wget -O -get.ispconfig.org | sh -s -- --use-nginx --use-ftp-ports=40110-40210 --unattended-upgrades --use-php=7.4,8.0,8.1

Because Let's Encrypt for server hostname was not created in setup, (self-signed cert was) I used:
howtoforge -tutorial-securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate

1) Created site & dns zone for server.mydomain.com and it updated named.conf.local (no err in bind)
SSL login to ispconfig panel, phpmyadmin and roundcube all work.

2) Added new website mydomain.com and DNS – it did not update named.conf.local (no err in bind)
Also dns would not generate DNSSEC DS-Data for registry.

3) Ran from ssh:
ispconfig_update.sh –force

4) Added new website mydomain2.com and DNS – it did not update named.conf.local (no err in bind)

5) Manually added zone to named.conf.local

zone "mydomain.com" {
type master;
file "/etc/bind/pri. mydomain.com";
};

Website worked

htf_report.txt shows: [WARN] could not determine server's ip address by ifconfig

From: Server Config
IP Address
12.34.56.789
Netmask
255.255.255.0
Gateway
35.129.55.1
Hostname
server.mydomain.com
Nameservers
8.8.8.8,8.8.4.4

htf_report.txt shows: [WARN] Port 443 (Webserver SSL) seems NOT to be listening
But: https-server.mydomain.com (works) SSL

root@server:~# telnet 12.34.56.789 443
Trying 12.34.56.789...
telnet: Unable to connect to remote host: Connection refused

ufw: 443/tcp ALLOW IN Anywhere

Any help would be appreciated
Thanks
Tried to upload 'htf_report.txt' but did not work:
##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Debian GNU/Linux 11 (bullseye)

[INFO] uptime: 15:33:13 up 8:13, 1 user, load average: 0.00, 0.00, 0.00

[INFO] memory:
total used free shared buff/cache available
Mem: 31Gi 1.8Gi 28Gi 10Mi 1.1Gi 29Gi
Swap: 1.0Gi 0B 1.0Gi

[INFO] systemd failed services status:
UNIT LOAD ACTIVE SUB DESCRIPTION
0 loaded units listed.

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.8p1

##### VERSION CHECK #####

[INFO] php (cli) version is 7.4.30
[INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.30

##### PORT CHECK #####

[WARN] Port 443 (Webserver SSL) seems NOT to be listening

##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
Unknown process (nginx (PID 2749)
[INFO] I found the following mail server(s):
Postfix (PID 1784)
[INFO] I found the following pop3 server(s):
Dovecot (PID 995)
[INFO] I found the following imap server(s):
Dovecot (PID 995)
[INFO] I found the following ftp server(s):
PureFTP (PID 1266)

##### LISTENING PORTS #####
(only ()
Local (Address)
[anywhere]:143 (995/dovecot)
[anywhere]:80 (2749/nginx
[anywhere]:8080 (2749/nginx
[anywhere]:8081 (2749/nginx
[anywhere]:465 (1784/master)
[anywhere]:21 (1266/pure-ftpd)
***.***.***.***:53 (1000/named)
***.***.***.***:53 (1000/named)
***.***.***.***:53 (1000/named)
***.***.***.***:53 (1000/named)
***.***.***.***:53 (1000/named)
***.***.***.***:53 (1000/named)
***.***.***.***:53 (1000/named)
***.***.***.***:53 (1000/named)
[localhost]:53 (1000/named)
[localhost]:53 (1000/named)
[localhost]:53 (1000/named)
[localhost]:53 (1000/named)
[localhost]:53 (1000/named)
[localhost]:53 (1000/named)
[localhost]:53 (1000/named)
[localhost]:53 (1000/named)
[anywhere]:22 (1067/sshd
[anywhere]:25 (1784/master)
[localhost]:953 (1000/named)
[anywhere]:4190 (995/dovecot)
[anywhere]:993 (995/dovecot)
[anywhere]:995 (995/dovecot)
[localhost]:11332 (1008/rspamd
[localhost]:11333 (1008/rspamd
[localhost]:11334 (1008/rspamd
[localhost]:10023 (883/postgrey)
[anywhere]:587 (1784/master)
[localhost]:6379 (1007/redis-server)
[localhost]:11211 (999/memcached)
[anywhere]:110 (995/dovecot)
[localhost]43 (995/dovecot)
*:*:*:*::*:80 (2749/nginx
*:*:*:*::*:8080 (2749/nginx
*:*:*:*::*:8081 (2749/nginx
*:*:*:*::*:465 (1784/master)
*:*:*:*::*:21 (1266/pure-ftpd)
*:*:*:*::*:53 (1000/named)
*:*:*:*::*:53 (1000/named)
*:*:*:*::*:53 (1000/named)
*:*:*:*::*:53 (1000/named)
*:*:*:*::*:53 (1000/named)
*:*:*:*::*:53 (1000/named)
*:*:*:*::*:53 (1000/named)
*:*:*:*::*:53 (1000/named)
*:*:*:*::**:*:*:*::*53 (1000/named)
*:*:*:*::**:*:*:*::*53 (1000/named)
*:*:*:*::**:*:*:*::*53 (1000/named)
*:*:*:*::**:*:*:*::*53 (1000/named)
*:*:*:*::**:*:*:*::*53 (1000/named)
*:*:*:*::**:*:*:*::*53 (1000/named)
*:*:*:*::**:*:*:*::*53 (1000/named)
*:*:*:*::**:*:*:*::*53 (1000/named)
*:*:*:*::*:22 (1067/sshd
*:*:*:*::*:25 (1784/master)
*:*:*:*::*:953 (1000/named)
*:*:*:*::*:4190 (995/dovecot)
*:*:*:*::*:993 (995/dovecot)
*:*:*:*::*:995 (995/dovecot)
*:*:*:*::*:3306 (1121/mariadbd)
*:*:*:*::*:587 (1784/master)
*:*:*:*::*:6379 (1007/redis-server)
[localhost]10 (995/dovecot)




##### IPTABLES #####
Chain INPUT (policy DROP)
target prot opt source destination
f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22
ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0
ufw-before-input all -- [anywhere]/0 [anywhere]/0
ufw-after-input all -- [anywhere]/0 [anywhere]/0
ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0
ufw-reject-input all -- [anywhere]/0 [anywhere]/0
ufw-track-input all -- [anywhere]/0 [anywhere]/0

Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0
ufw-before-forward all -- [anywhere]/0 [anywhere]/0
ufw-after-forward all -- [anywhere]/0 [anywhere]/0
ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0
ufw-reject-forward all -- [anywhere]/0 [anywhere]/0
ufw-track-forward all -- [anywhere]/0 [anywhere]/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0
ufw-before-output all -- [anywhere]/0 [anywhere]/0
ufw-after-output all -- [anywhere]/0 [anywhere]/0
ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0
ufw-reject-output all -- [anywhere]/0 [anywhere]/0
ufw-track-output all -- [anywhere]/0 [anywhere]/0

Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- [anywhere]/0 [anywhere]/0

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137
ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138
ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139
ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445
ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67
ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68
ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12
ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
ufw-user-forward all -- [anywhere]/0 [anywhere]/0

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- [anywhere]/0 [anywhere]/0
ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID
DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID
ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3
ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11
ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12
ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8
ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68
ufw-not-local all -- [anywhere]/0 [anywhere]/0
ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353
ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900
ufw-user-input all -- [anywhere]/0 [anywhere]/0

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- [anywhere]/0 [anywhere]/0
ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
ufw-user-output all -- [anywhere]/0 [anywhere]/0

Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10
LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL
RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST
RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10
DROP all -- [anywhere]/0 [anywhere]/0

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- [anywhere]/0 [anywhere]/0

Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- [anywhere]/0 [anywhere]/0

Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- [anywhere]/0 [anywhere]/0

Chain ufw-track-forward (1 references)
target prot opt source destination

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW
ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW

Chain ufw-user-forward (1 references)
target prot opt source destination

Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:4190
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081
ACCEPT tcp -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210
ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53

Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- [anywhere]/0 [anywhere]/0

Chain ufw-user-logging-forward (0 references)
target prot opt source destination

Chain ufw-user-logging-input (0 references)
target prot opt source destination

Chain ufw-user-logging-output (0 references)
target prot opt source destination

Chain ufw-user-output (1 references)
target prot opt source destination




##### LET'S ENCRYPT #####
acme.sh is installed in /root/.acme.sh/acme.sh

 

root@server:~# ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 12.34.56.789 netmask 255.255.255.0 broadcast 12.34.56.255
inet6 fe80::225:90ff:fee6:444c prefixlen 64 scopeid 0x20<link>
ether 00:25:90:e6:44:4c txqueuelen 1000 (Ethernet)
RX packets 3057206 bytes 211918850 (202.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32649 bytes 4472214 (4.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xf7120000-f713ffff

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 137085 bytes 8482045 (8.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 137085 bytes 8482045 (8.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@server:~# nano /etc/hosts
127.0.0.1 localhost.localdomain localhost
12.34.56.789 server.mydomain.com server

 

1) Enabled debug mode.
2) Added a new a-record for mydomain1.com.
3) Disabled the server.sh cronjob

root@server:~# /usr/local/ispconfig/server/server.sh
06.08.2022-15:38 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
06.08.2022-15:38 - DEBUG [server:217] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished server.php.

FROM ISPCONFIG LOG:
2022-08-06 10:38 server.mydomain.com Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
2022-08-06 10:38 server.mydomain.com Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
2022-08-06 10:37 server.mydomain.com Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
2022-08-06 10:37 server.mydomain.com Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
2022-08-06 10:36 server.mydomain.com Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
2022-08-06 10:36 server.mydomain.com Debug safe_exec cmd: systemctl is-enabled 'named' 2>&1 - return code: 0
2022-08-06 10:36 server.mydomain.com Debug Trying to use Systemd to restart service
2022-08-06 10:36 server.mydomain.com Debug Calling function 'restartBind' from module 'dns_module'.
2022-08-06 10:36 server.mydomain.com Debug Processed datalog_id 199
2022-08-06 10:36 server.mydomain.com Debug Writing BIND named.conf.local file: /etc/bind/named.conf.local
2022-08-06 10:36 server.mydomain.com Warning DNSSEC ERROR: We are low on entropy. Not generating new Keys for mydomain1.com. Please consider installing package haveged.
2022-08-06 10:36 server.mydomain.com Debug Writing BIND domain file: /etc/bind/pri.mydomain1.com
2022-08-06 10:36 server.mydomain.com Debug safe_exec cmd: named-checkzone 'mydomain1.com.' '/etc/bind/pri.mydomain1.com' - return code: 0
2022-08-06 10:36 server.mydomain.com Debug Calling function 'rr_insert' from plugin 'bind_plugin' raised by event 'dns_rr_insert'.
2022-08-06 10:36 server.mydomain.com Debug Processed datalog_id 198

CHECKED HAVEGED BECAUSE OF WARNING DNSSEC ERROR:
root@server:~# /etc/init.d/haveged status
● haveged.service - Entropy Daemon based on the HAVEGE algorithm
Loaded: loaded (/lib/systemd/system/haveged.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-08-06 09:17:15 CDT; 55min ago
Docs: man:haveged(8)
http://www.issihosts.com/haveged/
Main PID: 810 (haveged)
Tasks: 1 (limit: 38443)
Memory: 3.7M
CPU: 315ms
CGroup: /system.slice/haveged.service
└─810 /usr/sbin/haveged --Foreground --verbose=1

Aug 06 09:17:15 server systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
Aug 06 09:17:15 server haveged[810]: haveged: command socket is listening at fd 3
Aug 06 09:17:15 server haveged[810]: haveged: ver: 1.9.14; arch: x86; vend: GenuineIntel; build: (gcc 10.2.1 ITV); collect: 128K
Aug 06 09:17:15 server haveged[810]: haveged: cpu: (L4 VC); data: 32K (L4 V); inst: 32K (L4 V); idx: 24/40; sz: 32154/54019
Aug 06 09:17:15 server haveged[810]: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B): last entropy estimate 8.00078
Aug 06 09:17:15 server haveged[810]: haveged: fills: 0, generated: 0

Note: No errors in bind - updated pri.mydomain1.com - did not add to named.conf.local, actualy removed zone I had previously added manualy.

 

root@my1:~# cat /proc/sys/kernel/random/entropy_avail
256

 

I setup another server on Vultr just like the current one with the named.conf.local problem. 'Add new dns zone' worked by adding them to named.conf.local. Then in zone settings, I checked 'Sign zone (DNSSEC)' and noticed that it removed that zone from named.conf.local and did not generate DNSSEC DS-Data for registry

I went back to the original server with the named.conf.local problem and unchecked 'Sign zone (DNSSEC)' and it then added the zones to named.conf.local on all 3 sites dns.

I compared files in /etc/bind to a vps that has been running for 2 years with no problems and found in both new servers, setup with automated ispconfig, 'named.conf.options' is missing the following 2 lines:
dnssec-enable yes;
dnssec-validation yes;

I though by adding these 2 lines, dnssec would work but it did not. So apparently it is a dnssec problem.

Also, it's not a server provider issue because the 2 servers (one a dedicated and the other a VPS) are on different providers.

 

Tanks for your help and knowledge! (definitely learned some stuff)

That fixed everything.

Thanks again