Is DNSSEC on mirrored name servers going to be supported in ISPConfig 3.2.1? I looked in git but the milestons seems to change and get removed often. If DNSSEC is not coming to mirrored setups in foreseeable future, is there instructions on how to set it up and use not mirrored name servers?
No, it won't be included in 3.2.1. I'll explain how you can do it right now with 2 nameservers. ns1.example.com with IP 1.2.3.4 and ns2.example.com with IP 5.6.7.8. Create the zone, example.com, on ns1. Then go to zone settings, and for "Allow zone transfers tothese IPs (comma separated list)" and "Also Notify", fill in the IP address(es) of your secondary nameserver(s). In this case 5.6.7.8. Enable DNSSEC with algorithm 13. Save the zone, and go to "Secondary DNS-Zones". Add a secondary zone for example.com. For "NS (IP-address)" and "Allow zone transfers to these IPs (comma separated list)", enter the IP address of your first nameserver, in this case 1.2.3.4. If you have more secondary servers, repeat this procedure for every server. You have to copy the KSK (257) to your registry. It is scheduled to automate the process of creating the secondary zones: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5834
@Taleman, I don't think there'll be any after I raised this issue last month but as @Th0m said, there is a workaround, though I'd like to still think that mirroring in ISPConfig should do that automatically, at least in the future.
I'm planning to try this on a test setup. @Th0m , in your description are the ns1 and ns2 ISPConfig servers? Would this work if ns2 is not ISPConfig server, just running Bind and I copy the zone definitions there manually?
Yes, they are both ISPConfig servers. You can create the zones manually on ns2 if it's not a ISPConfig server, that should work.
I remember testing something like this with afraid.org as secondary name server and it worked, so, I think this should work with your own.
The problem we have is that the "secondary" DNS (NS2) is already Mirror of "primary" (NS1), with more than 2000 DNS-zones. So we cant just use NS2 as @Th0m guide. Its not fun to manually create a third DNS-server (NS3) and convert 2000 + domains and change on every single domainname the nameservers. I understand @Taleman problem and we also need a fix in the future for existing mirrored DNS.
You could automate this with some SQL queries, but yes, fixing it would be better. But someone will have to pick the issue up.
