We have a multiserver ISPConfig 3.1 setup, where the master server handles primary DNS, and a slave is setup to be a mirror of this master, for secondary DNS, and this works well for DNS (as per: https://www.howtoforge.com/how-to-r...and-secondary-with-ispconfig-3-debian-squeeze) The load on the mirrored slave is quite low, so we want to put a couple of websites directly on there. This works ok if I create the site via ISPConfig and select master as the server, and the site gets mirrored to slave, and I point the site domain names at slave. However, this doesn't seem to work with Lets Encrypt, as the master server tries to setup lets encrypt, but can't verify/access the site/domain, as the domain is pointing at the slave server. Is there a better way to handle secondary DNS syncing with primary, instead of using 'is mirror of server'? In a way where we could create sites directly on slave server? That work with lets encrypt? Thanks
That depends on how you define "better." There's a feature request to be able to select specific services to be mirrored, rather than all services (so you could mirror DNS, but not web) - that would be better, for sure, but is not available now. I found https://git.ispconfig.org/ispconfig/ispconfig3/issues/990 related to that, though I think there may be one or two other issues open for effectively the same thing. If "better" requires it work today, then you could use a dns master/slave setup rather than mirroring the server (it's requires more configuration, so not "better" in that aspect). One solution would be dns based verification using acme.sh: https://www.howtoforge.com/communit...utomated-dns-01-challenge-for-ispc-3-1.74850/ Iirc, I think it was mentioned incorporating acme.sh in a future ispconfig version. Maybe that was just proposing an idea though, I don't know for certain if that is planned or just conversation.
I didn't know it was possible to have a dns master/slave setup without mirroring the master server? If so, can you please point me to the tutorial on how to set this up / configure it, for ISPConfig? Thanks
So I found in the manual how to have Secondary (slave) zones, where bind will transfer zone data automatically between primary and slave (Using Allow zone transfers to these IPs) BUT, is it possible to switch from a 'mirrored' ISPConfig DNS setup, to a Secondary Zone setup, without loosing any existing DNS data? (e.g. we have 500+ zones) Would something like this work: (stab in the dark) Take a backup of ISPConfig and databases on current primary and slave (if we need to revert) Change ISPConfig service config of Slave, Disable mirror of Primary server (so its now its own server) Use API to get a list of all DNS zones For each DNS zone: Update zone and set Allow zone transfers to these IPs = Slave IP Create secondary DNS zone with NS using Primary IP Would that work, and would the slave server keep all its zones? Or would bind on the Slave get messed up with all the previously created mirrored records + the new secondary zones? (does bind on a slave store the zones differently?) Thanks
