DNSSEC Secondary Nameserver

Hi,

is the DNSSEC Bug described here https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/6/ solved? So can I set up a multiserver setup using this tutorial and using dnssec without any problems by just adding the zones and setting on the Primary?

 

The bug only affects mirrored name servers. If you set up secondary zone on the other name server, the bug does not matter, and this is the way the tutorial instructs to do.

 

Im little confused, I posted the instruction below. How do I set the up as mirrored and how do I set it up correctly that DNSSEC properly works. I kinda missed this explanation.
"
There is currently a bug in ISPConfig that causes DNSSEC signed zones to be signed with different keys if you mirror nameservers. To set up your zones, first create the zone under DNS ->DNS Zones on your first nameserver, and allow transfer + also notify to the IP address of your secondary nameserver. Then add the zone under "Secondary DNS zones" on your second nameserver and allow transfer from the IP of your first nameserver.

Your secondary nameserver is now set up. If you want to add another nameserver, just repeat the instructions from this step, and adjust the hostname and IP address accordingly. In the next step, we will install the webmail server."

 

Any news here? When will it be possible to use dnssec without manually adding a secondary zone?

 

The secondary zone does not appear until it is manually added. So the answer to your question is probably never, unless someone implements automatic secondary zones in ISPConfig.
Is there a specific problem with setting up name service and/or DNSSEC on your setup?
https://forum.howtoforge.com/threads/creating-secondary-dns-zones-automatically.87339/
There might be some automation in the works: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5834

 

Actually yes. This looks to me that it is not possible to use dnssec without any additonal scripts or manual config pushs. did anything change here? Because am I wrong or do i basically have to do every dns setting twice if i work with primary / secondary dns zones?

 

Found this thread and have questions - hope it's ok to hijack, but it has everything to do with my question.
We have 4 DNS servers - two in two different locations, as we often have power outages that can outlast our power backup systems. Three are ISPConfig mirrors of the first NS server. In order to implement DNSSec, I understand the need to remove the mirrors and setup secondary servers.

Given that the objective is to have two servers in each of the different geolocations, is it possible to leave two servers as mirrors, one in each location, then set one server in each as a secondary in each locale? Will that still result in the bug mentioned because two servers are mirrored?

The reason I'm asking about keeping one server in each locale as a mirror is because, before we were managing DNS through ISPConfig, we had a single master with 3 secondary servers. The issue we ran into was that we lost the primary server due to hardware failure that kept the master and one secondary offline until we could procure parts. During that downtime, DNS changes were a challenge until the servers were restored from backups. But, by then, changes that were manually made caused some zones to be out of synch. Getting all th zones back in synch was a process I'd prefer to avoid.

 

Thanks, Till. In order to migrate the servers from mirrors to secondaries, should the mirrors be broken one at at time, delete the zones on the servers that will be secondaries and then set them as a secondary within the panel? After the 3 servers are migrated, I'll set up DNSSec.

 

If you test this, can you please report here how it went and what you've done? I might have to do this in the future too

 

Thanks for both of the replies. I will attempt to modify the servers over the weekend and will report the progress. If successful, I'll post procedures.

 

I have been able to successfully create a secondary zone on one server that will act as a slave. However, running into an issue with receiving updates to a zone. My guess is that although the master is specified and the zone does transfer, any new records to the zone are not propagated to the slave. Is the master is not notifying the salve server? I thought BIND automatically sent notifies to the slaves listed in the named.conf.local on the master. The named.conf.options file on the master still reflects:
allow-transfer {none;};
Am I missing something? I have not been able to get record changes at the master to propagate to the slave.

(I'll provide details on what's been done after this is resolved).

 

Still missing something. I have ns1, ns2, ns3, ns4. ns1 is master. ns4 has been removed from mirror. Created the secondary zone for 1st domain with following info:
server: ns4
DNS Zone: domain.com
NS: IP address of ns1
Allow zone transfers...: left blank as I assume this would allow transfers from ns4 to other listed.
The zone transfers after setup, but any changes on ns1 to the zone files do not replicate to ns4.

 

Well, found entries in the syslog that are related but have me puzzled:
zone domain.com/IN: sending notifies (serial 2024xxxx)
zone domain.com/IN: refused notify from non-primary: (ip of itself, ns4)#50110
The serial number is one lower than what's on the master and is the original that was transferred.
What do I have misconfigured that's making the slave try to notify itself?