DNSSEC cascade inside Ispconfig

Hello,
I have ISPC 3.2.4 on ubuntu20.04
I start to set DNSSEC : it works at upper level by not follow the cascade.
Let me explain.
I run https://dnssec-analyzer.verisignlabs.com/sub.dom.tld
It gives : confidentiality issue in picture

How I declare my sub.dom.tld in my own dom.tld ? All that is manage by ispconfig.
Is there a tuto somewhere ?
Many thanks

 

Digging a bit, I see answer page 241 of manual ISP config 3.1
Set DS record

 

Hello,
It is quite painfull to do DS record entry from a subdomain Zone to a domain Zone (Example : from sub.dom.tld to dom.tld)
I try to automate DS record entry with SOAP API.
But there is no function like dns_ds_add, etc...
I use that forum to propose.

1st proposal :
-> incorporate in web interface, DNS zone : in addition to DNSSEC_wanted, a param such as DNSSEC_PARENTZONE.
With this param, it would be possible to have a function to incorporate "automatically", a DS record in this DNSSEC_PARENTZONE

2nd proposal :
-> modify file interface/lib/classes/remote.d/dns.inc.php
add following lines

Code:

// ----------------------------------------------------------------------------------------------------------------

//* Get record details
public function dns_ds_get($session_id, $primary_id) {
   return $this->dns_rr_get($session_id, $primary_id, 'DS');
}

//* Add a record
public function dns_ds_add($session_id, $client_id, $params, $update_serial=false) {
   return $this->dns_rr_add($session_id, $client_id, $params, $update_serial, 'DS');
}

//* Update a record
public function dns_ds_update($session_id, $client_id, $primary_id, $params, $update_serial=false) {
   return $this->dns_rr_update($session_id, $client_id, $primary_id, $params, $update_serial, 'DS');
}

//* Delete a record
public function dns_ds_delete($session_id, $primary_id, $update_serial=false) {
   return $this->dns_rr_delete($session_id, $primary_id, $update_serial, 'DS');
}

I can do a pr if you give me access to gitlab (don't know your admin way)
Thanks for your help

 

I check solution 2 : that works

 

Hello,
I am back on that topic because I have difficulties to set DS record.
I read lot of things, but, didn't find my solution
Here below in reb bracket, my concern:


So that, I define a DSrecord in my dom.fr : right picture
But it is as it doesnt exist : left picture.

Is anyone can help me understand what's wrong in this ?
I am working on DS record for 2 weeks
Many thanks

 

I check logs
#grep named /var/log/syslog (postfix activity filtered below)
it gives
May 29 01:00:01 ns1 named[93368]: received control channel command 'reload'
May 29 01:00:01 ns1 named[93368]: loading configuration from '/etc/bind/named.conf'
May 29 01:00:01 ns1 named[93368]: /etc/bind/named.conf.options:21: option 'dnssec-enable' is obsolete and should be removed
May 29 01:00:01 ns1 named[93368]: /etc/bind/named.conf.options:23: option 'dnssec-lookaside' is obsolete and should be removed
May 29 01:00:01 ns1 named[93368]: reading built-in trust anchors from file '/etc/bind/bind.keys'
May 29 01:00:01 ns1 named[93368]: looking for GeoIP2 databases in '/usr/share/GeoIP'
May 29 01:00:01 ns1 named[93368]: using default UDP/IPv4 port range: [32768, 60999]
May 29 01:00:01 ns1 named[93368]: using default UDP/IPv6 port range: [32768, 60999]
May 29 01:00:01 ns1 named[93368]: sizing zone task pool based on 7 zones
May 29 01:00:01 ns1 named[93368]: none:100: 'max-cache-size 90%' - setting to 7165MB (out of 7961MB)
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 10.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 16.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 17.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 18.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 19.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 20.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 21.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 22.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 23.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 24.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 25.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 26.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 27.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 28.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 29.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 30.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 31.172.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 168.192.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 64.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 65.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 66.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 67.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 68.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 69.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 70.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 71.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 72.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 73.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 74.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 75.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 76.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 77.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 78.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 79.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 80.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 81.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 82.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 83.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 84.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 85.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 86.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 87.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 88.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 89.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 90.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 91.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 92.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 93.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 94.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 95.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 96.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 97.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 98.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 99.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 100.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 101.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 102.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 103.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 104.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 105.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 106.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 107.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 108.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 109.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 110.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 111.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 112.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 113.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 114.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 115.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 116.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 117.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 118.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 119.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 120.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 121.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 122.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 123.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 124.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 125.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 126.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 127.100.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 254.169.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: D.F.IP6.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 8.E.F.IP6.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 9.E.F.IP6.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: A.E.F.IP6.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: B.E.F.IP6.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: EMPTY.AS112.ARPA
May 29 01:00:02 ns1 named[93368]: automatic empty zone: HOME.ARPA
May 29 01:00:02 ns1 named[93368]: none:100: 'max-cache-size 90%' - setting to 7165MB (out of 7961MB)
May 29 01:00:02 ns1 named[93368]: configuring command channel from '/etc/bind/rndc.key'
May 29 01:00:02 ns1 named[93368]: configuring command channel from '/etc/bind/rndc.key'
May 29 01:00:02 ns1 named[93368]: reloading configuration succeeded
May 29 01:00:02 ns1 named[93368]: reloading zones succeeded
May 29 01:00:02 ns1 named[93368]: all zones loaded
May 29 01:00:02 ns1 named[93368]: running

it seems ok ?

Also
#grep DS /etc/bind
it gives
/etc/bind/dsset-backup.dom.fr.:backup.dom.fr. IN DS 6319 13 2 AD87006B0E0B458AD7A02DD87DFC11B3AB119CD3F7C309C4A4425623 C3583C8F
/etc/bind/dsset-dom.fr.:dom.fr. IN DS 5535 13 2 7CE59A1D62E627A2B9FAAC33E6E870A45563A5F15BBFEECB2549AC10 A22855E7
/etc/bind/Kbackup.dom.fr.xx.private:Algorithm: 13 (ECDSAP256SHA256)
/etc/bind/Kbackup.dom.fr.xx.private:Algorithm: 13 (ECDSAP256SHA256)
/etc/bind/Kdom.fr.xx.private:Algorithm: 13 (ECDSAP256SHA256)
/etc/bind/Kdom.fr.xx.private:Algorithm: 13 (ECDSAP256SHA256)
/etc/bind/pri.backup.dom.fr.signed: ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 22058
/etc/bind/pri.backup.dom.fr.signed: ) ; KSK; alg = ECDSAP256SHA256 ; key id = 6319
/etc/bind/pri.dom.fr:backup.dom.fr. 3600 DS 6319 13 2 AD87006B0E0B458AD7A02DD87DFC11B3AB119CD3F7C309C4A4425623 C3583C8F
/etc/bind/pri.dom.fr.signed: ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 31211
/etc/bind/pri.dom.fr.signed: ) ; KSK; alg = ECDSAP256SHA256 ; key id = 5535

it seems ok ?

 

Hello,

it seems to be because in bind folder :
-> the new data I enter for dom.fr are in pri.dom.fr file
-> they are not in pri.dom.fr.signed file

what should I do ?

 

Have you examined https://www.howtoforge.com/community/threads/how-do-i-get-dnssec-to-work.84391/
Is DNSSEC registered for your domain at the registrar?

 

My issue was :
dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o 'dom.fr' -t 'pri.dom.fr'
dnssec-signzone: fatal: 'backup.dom.fr': found DS RRset without NS RRset

I invite noobs with same issue to look at
https://help.directadmin.com/item.php?id=652
you gonna see that if you have DS record of a subdomain in your domain, you need to declare NS also.

so that, "dom.tld" zone must contain
"
sub.dom.tld DS ...
sub.dom.tld NS ns1.dom.tld
sub.dom.tld NS ns2.dom.tld
"
to repeat !

 

@Taleman : thanks a lot for your reply and overall contribution to the community
I read lot of things from you on DNS. It help me a lot to finally found my issue.

In my case :
registrar : '.fr'
my bind server contains : 'dom.fr' and 'sub.dom.fr' zones...
I request my registrar to record DS for dom.fr zone.
But I was asking how to set DS for sub.dom.tld in my dom.tld zone
I discover that I have to set DS and NS record in dom.tld zone

Do you have that situation in your named server ?

 

By the way, it is quite complex to manage "manually".
so i come back to my proposals ...

 

That was something Till recommended so that I build my script with this approach...

I will contribute through a MR

Many thanks