Hello there, me again. When i add a new zone I can't see the DNSSEC option. I followed your perfect Server tutorial, but splittet Web, Mail and DNS up. Am i missing something or is DNSSEC not available at the moment in ISPConfig 3.1 Stable? Thank you again for your help ei8ht
The current dnssec implementation does not work on multiserver setups where dns is mirrored. This is caused by a mistake in the implementation, so nothing that can be fixed easily and we have to reimplement dnssec from scratch. Therefore, dnssec is hidden on systems where it will not work in 3.1. The root cause is that the current implementation creates the dnssec certs on the server side, but when you have a mirror, then there are 2 server sides which means you would get 2 different certs on master and slave, this needs to be reimplemented in a way that just one cert gets created on the master which is then mirrored to the slave.
The powerdns module is not under development for a few years since it has currently no maintainer, so it is likely that dnssec is not working with powerdns.
You can try to remove the mirror-function from the secondary dns and use the plugin from https://git.ispconfig.org/ispconfig/Modules/tree/master/dns_slave_auto . I did not tested this with dnssec, but afaik bind replicates the dnssec-key, too.
Hi Till and Florian040, thanks a lot for your answers. @till: Hopefully my coding skills are soon great enough to contribute and update the pdns plugin @Florian040: Thanks for the hint. I'll give it a try Regards ei8ht
Hello, me again. Resetup everything, run now into two problems: - 1.) haveged doesn't run in a LXC container. So now i installed it on my Host, entropy in container is about 2500. Hope this is enough... - 2.) Either the script from florian030 isn't working or i'm doing it wrong (probably the second...). Installed the script on my main ISPConfig server, set the master DNS IP and the server ID's of the two secondary DNS Servers in the php file -> nothing happens. Well, for the moment i decided to live without DNSSEC . Maybe i swith to PowerDNS and do the DNS Stuff outside of ISPConfig. Regards ei8ht
I updated the script a few days ago but the merge-request is still open. https://git.ispconfig.org/ispconfig/Modules/merge_requests/3/diffs
Hi Florian030, danke fürs Update/thanks for the update. I'll give it a try. DNSSec itself is working on the master DNS now. Trick is to install haveged on the host when you are in a containered environement (like LXC). Freundliche Grüsse/best regards ei8ht
You two are great How can i buy you a beer or a pizza or so? (not kidding!) But beside this, am I installing the script correctly? Im 90% sure, but i want to be 100% sure. The script has to be installed on my main ISPConfig Server, the one with the webpanel (lets call him optimusprime). My master dns is on a separate machine (lets say skids to this) and my two slave DNS (mudflap and ironhide, yes i watched to much transformers ^^) are in other datacenters, connected via an IPSEC Tunnel to optimus. Server ID of ironhide and mudflap are 7 and 9. Regards ei8ht
Just a little feedback: @florian030 : Your auto slave script works like charm. However, when click from the "entries" tab in the zonefileeditor back to "DNS Zone" i always get an error: Duplicate entry 'domain.tld.-6' for key 'slave' This error even appears, when no slave servers are set. For DNSSEC itself there is just one workaround: Edit the bind_named.conf.local.slave on the slave server and add .signed. Sadly, then all zones have to be signed. As i can't assure this at the moment, this is not a solution for me... Any idea how to fix this? two templates, one for DNSSEC and one without? Maybe this is possible, but i don't think its easy to implement. Thx for all your help, and as i posted before: how can i buy you guys a beer or a pizza or so? ^^ Regards ei8ht
