How do I get ISPconfig to configure bind the way that it produces CDS records for the automated DNSSEC key rollovers? e.g. https://www.nic.ch/security/cds/ Thanks.
I am currently testing the following: disable DNSsec for that specific domain in ISPconfig manual set the "dnssec-policy default;" in the bind config section for that domain (see https://bind9.readthedocs.io/en/v9_18_5/dnssec-guide.html#easy-start-guide-for-authoritative-servers) I run into apparmor and fs permission issues: apparmor="DENIED" operation="mknod" profile="named" name="/etc/bind/zonefiles/pri.example.com.jbk" solved by adding the two lines to /etc/apparmor.d/local/usr.sbin.named /etc/bind/zonefiles/** lrw, /etc/bind/zonefiles/ rw, /etc/bind/zonefiles/pri.example.com.jbk: create: permission denied solved by chmod g+w /etc/bind/zonefiles I will see if now bind will generate the CDS keys (dig cds example.com @your-dns-server) so that the DNSsec keys will be picked up by the DNS registry automatically. --> if this works, this would be an easy option to extend the ISPconfig dnssec support (for operating systems running BIND 9.17 onwards) so that no manual interaction is needed from the user to have the zones published with DNSSEC keys.
I can confirm that disabling DNSsec for the domain in ISPconfig and setting the "dnssec-policy default;" in the config of the zone lets bind generate automatically the CDS (and DS) keys which will be picked up by the TLD registry automatically. So it would be great if ISPconfig would support that way of enabling DNSsec! Happy New Year to everyone!
I have changed the file Code: /usr/local/ispconfig/server/plugins-available/bind_plugin.inc.php so that the option "dnssec-policy default" gets added to each primary zone. As the file was overwritten by the last update (and I realized it too late when the DNSSEC keys expired), I wanted to ask if there is a way to keep the file as-is during updates?
Best way is to open a issue and merge request for this on our GitLab: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues
I had created the issue already a while ago (https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6439)... but unfortunately no time to get into the whole ISPconfig UI to understand all the places where it would need to be adapted to add that feature :-(