I finally figured out how to do DNSSEC and DS records so I get zero erros on DNSSEC validation but I am getting Proof of Non-Existence errors. I cannot find any NSEC or NSEC3 records in bind files or using dig. ISPConfig Version: 3.3.0p3 Debian GNU/Linux 10 (buster) yes old, will find a guide to upgrade real soon now. Since ispconfig3 I think is supposed to handle this I did not want to go farther in chopping on it. ifconfig displays IP address but parsing it appears to be painful. Thanks. Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 10 (buster) [INFO] uptime: 06:18:05 up 7:52, 2 users, load average: 0.08, 0.02, 0.01 [INFO] memory: total used free shared buff/cache available Mem: 3.9Gi 437Mi 1.5Gi 23Mi 1.9Gi 3.2Gi Swap: 511Mi 195Mi 316Mi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ● clamav-freshclam.service loaded failed failed ClamAV virus database updater LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.3.0p3 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.3.31-1~deb10u7 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.3.31 ##### PORT CHECK ##### [WARN] Port 21 (FTP server) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 7540) [INFO] I found the following mail server(s): Postfix (PID 1554) [INFO] I found the following pop3 server(s): Dovecot (PID 869) [INFO] I found the following imap server(s): Dovecot (PID 869) [WARN] I could not determine which ftp server is running. ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:993 (869/dovecot) [anywhere]:995 (869/dovecot) [localhost]:10023 (519/postgrey) [localhost]:10024 (9032/amavisd-new) [localhost]:10025 (1554/master) [localhost]:10026 (9032/amavisd-new) [localhost]:10027 (1554/master) [anywhere]:587 (1554/master) [localhost]:11211 (854/memcached) [anywhere]:110 (869/dovecot) [anywhere]:143 (869/dovecot) [anywhere]:465 (1554/master) ***.***.***.***:53 (26952/named) [localhost]:53 (26952/named) [anywhere]:22 (885/sshd) [localhost]:953 (26952/named) [anywhere]:25 (1554/master) *:*:*:*::*:993 (869/dovecot) *:*:*:*::*:995 (869/dovecot) *:*:*:*::*:10023 (519/postgrey) *:*:*:*::*:10024 (9032/amavisd-new) *:*:*:*::*:10026 (9032/amavisd-new) *:*:*:*::*:3306 (1018/mysqld) *:*:*:*::*:587 (1554/master) [localhost]10 (869/dovecot) [localhost]43 (869/dovecot) *:*:*:*::*:8080 (7540/apache2) *:*:*:*::*:80 (7540/apache2) *:*:*:*::*:8081 (7540/apache2) *:*:*:*::*:465 (1554/master) *:*:*:*::*:53 (26952/named) *:*:*:*::*:22 (885/sshd) *:*:*:*::*:953 (26952/named) *:*:*:*::*:25 (1554/master) *:*:*:*::*:443 (7540/apache2) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination f2b-dovecot tcp -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993,587,465,4190 f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25 f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 f2b-recidive all -- [anywhere]/0 [anywhere]/0 ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-before-input all -- [anywhere]/0 [anywhere]/0 ufw-after-input all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-reject-input all -- [anywhere]/0 [anywhere]/0 ufw-track-input all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-before-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-reject-forward all -- [anywhere]/0 [anywhere]/0 ufw-track-forward all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-before-output all -- [anywhere]/0 [anywhere]/0 ufw-after-output all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-reject-output all -- [anywhere]/0 [anywhere]/0 ufw-track-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local all -- [anywhere]/0 [anywhere]/0 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-user-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward all -- [anywhere]/0 [anywhere]/0 Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68 ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10 LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 Chain ufw-user-output (1 references) target prot opt source destination Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain f2b-recidive (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable Chain f2b-sshd (1 references) target prot opt source destination Chain f2b-postfix-sasl (1 references) target prot opt source destination Chain f2b-dovecot (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0 ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
I am not running a name server for quite a long time, but did enable you DNSSEC in ISPConfig panel? If you did, try resync DNS first, and see how that goes. Also failure to sign would normally be in the log, so look into it to troubleshoot. May be @Taleman can offer you a better insight about this, so just wait a bit.
Maybe it's because you're running an old Debian version and therefor most likely an old Bind version? Those Proof of Non-Existence (or denial-of-existence) errors where fixed in ISPC 3.2.12 But I guess your Bind version needs to be compatible?
Also, if you run a multiserver setup, you cannot use internal DNS mirroring for zones in ISPConfig; you must use primary and secondary zones in ISPConfig instead, which instructs BIND to do the mirroring.
ISC.org says bind 9.9+ does NSEC or NSEC3. I do see that inline signing is not active. I've not touched anything with bind config. ISPConfig3 is the latest as of 10-12-2025 version in OP. I'm not sure what to fumble with to add this if ISPCONFIG3 is not doing it automagically.
ISPConfig3 bind files. named.conf Code: options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== version "unknown"; allow-transfer {none;}; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; named.conf.options Code: // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; named.conf.local Code: zone "ignoblast.com" { type master; file "/etc/bind/pri.ignoblast.com.signed"; }; zone "server.ignoblast.com" { type master; file "/etc/bind/pri.server.ignoblast.com.signed"; }; zone "mail.ignoblast.com" { type master; file "/etc/bind/pri.mail.ignoblast.com.signed"; }; zone "black.ignoblast.com" { type master; file "/etc/bind/pri.black.ignoblast.com.signed"; };
DNSSEC passes all tests, DNSVis fails NSEC3 Logs have not been configured in ISPConfig files so I shut down bind9 and ran journalctl -u named. That is sanitized and below.
relevant portion of bind log journalctl -u named Code: 16-Oct-2025 21:17:04.243 configuring command channel from '/etc/bind/rndc.key' 16-Oct-2025 21:17:04.243 command channel listening on 127.0.0.1#953 16-Oct-2025 21:17:04.243 configuring command channel from '/etc/bind/rndc.key' 16-Oct-2025 21:17:04.243 command channel listening on ::1#953 16-Oct-2025 21:17:04.243 not using config file logging statement for logging due to -g option 16-Oct-2025 21:17:04.244 managed-keys-zone: loaded serial 6 16-Oct-2025 21:17:04.244 zone 0.in-addr.arpa/IN: loaded serial 1 16-Oct-2025 21:17:04.246 zone server.unocoblast.com/IN: loaded serial 2025101619 (DNSSEC signed) 16-Oct-2025 21:17:04.247 zone 255.in-addr.arpa/IN: loaded serial 1 16-Oct-2025 21:17:04.247 zone localhost/IN: loaded serial 2 16-Oct-2025 21:17:04.248 zone 127.in-addr.arpa/IN: loaded serial 1 16-Oct-2025 21:17:04.250 zone black.unocoblast.com/IN: loaded serial 2025101631 (DNSSEC signed) 16-Oct-2025 21:17:04.250 zone unocoblast.com/IN: loaded serial 2025101631 (DNSSEC signed) 16-Oct-2025 21:17:04.251 zone mail.unocoblast.com/IN: loaded serial 2025101616 (DNSSEC signed) 16-Oct-2025 21:17:04.251 all zones loaded 16-Oct-2025 21:17:04.252 running 16-Oct-2025 21:17:04.252 zone black.unocoblast.com/IN: sending notifies (serial 2025101631) 16-Oct-2025 21:17:04.252 zone server.unocoblast.com/IN: sending notifies (serial 2025101619) 16-Oct-2025 21:17:04.252 zone unocoblast.com/IN: sending notifies (serial 2025101631) 16-Oct-2025 21:17:04.252 zone mail.unocoblast.com/IN: sending notifies (serial 2025101616)
I've checked your domain ignoblast.com (taken from named.conf.local you posted) at dnsviz.net and the domain doesn't exist! Also unocoblast.com (taken from your named log) doesn't exist. How on earth did you check dnssec??
I apologize remkoh. It is random brain noise replacing the domain. For some unknown reason (insanity) I did not disclose that and just assumed it would be expected for privacy/security. I do appreciate the effort. I cannot figure out where to stick all the configurations in ISPCONFIG3s highly opaque way of doing DNS to enable NSEC3 nor if that will not be overwritten. I'd prefer thumping it to start doing it on it's own. I'm rather daunted at starting over just now. Thanks
