DNSSEC problem expire too soon (ISPConfig 3.1)

I know you do not use DNSSEC as you postet earlier, but you implememted it.
I added DNSSEC to my domain on 23.10.16. Now as some mailers reject my mail with "domain not found" (error 450 4.1.8) I did the DNS check from DNSSTUFF.COM and found out, that all is ok except the "DNSSEC SOA record date check" which has expired 29.10.16, that means just 16 days after creating. It is surely, not a DNS problem as the domain exists since years domain can be resolved, I think the error code is missleading and it is why the DNSSEC record has expired.
First just 16 day ist not a good value
Second where can I enter a better value
Third who to update the DNSSEC records in ISPConfig, just disable and enable it and then updateing the record the record at DENIC.
I think even with one domain it is not practible to have to update the records every 16 day, even the default in https://linux.die.net/man/8/dnssec-keygen is 30 days. Even more it is not practible if you have more or a lot of domains.

Need solution

Rainer

 

Sorry, but you seems to be the primary ISPConfig developer, you wrote the manual, which did not help here. I do not know if it is necessary to implement a new function or if a renewal is possible right now. I did some research and learnt the ZSK should be changed often, i.e. every month, so it will be nice to do this with cron i.e.
I found al lot on the internet how to create the keys, but I am afraid to change something manualy, may be I disturb ISPConfig functions.

This a I ISPConfig support forum, so

is an easy answer but do net help. Who when not you implemeted that feature and can help.

Thank you

Rainer

Seams even your mailer uses DNSSEC as I do no more receive your notifications sind my DNSSEC records are expirered.

 

Thank you, I will check, I think that will help

Rainer

 

The is no cronjob, manualy starting php /usr/local/ispconfig/server/lib/classes/cron.d/550-bind_dnssec.inc.php results in

But looking at cron.log I found

but it seams it does not the job, as expiring date is still 29.10.16

So maybe Alexander Täffner aka dark alex will or can help

Thank you

Rainer

P.S. Server running the primary DNS is the master server
Server is Debian 8 i386 latest patches

 

Code:

php /usr/local/ispconfig/server/cron_debug.php --cronjob=550-bind_dnssec.inc.php

But you need

Code:

  public function onPrepare() {
  global $app;

  parent::onPrepare();
  }

  public function onBeforeRun() {
  global $app;

  return parent::onBeforeRun();
  }

  public function onAfterRun() {
  global $app;

  parent::onAfterRun();
  }

in the cron-class (just after class cronjob_bind_dnssec extends cronjob { )

 

Hello Florian,
first I inserted code direct after "class cronjob_bind_dnssec extends cronjob {"
starting the script I just get finshed in terminal and cron.log, no SOA increment.
Then I tried insert the code after the function I got the following message
PHP Parse error: syntax error, unexpected 'public' (T_PUBLIC) in /usr/local/ispconfig/server/lib/classes/cron.d/550-bind_dnssec.inc.php on line 91

Perhaps I do still something wrong.

need further help, thanks
Rainer

 

That's ok. The cron-class was processed. There is no output on the screen. You can set the loglevel to debug to see messages in the system-log when soas are found and processed.

 

I think the right version is insert your code in the function, where I got no error.
I opened a second terminal and did a tail -f /var/log/syslog but when starting the script nothing happens more than the normal outputs there.

What log level do you mean, php loglevel or which one
Thanks Rainer

 

Change the loglevel in ispconfig to debug.

 

Sorry for late response, hat be ill some day an had been in hospital
it is funny I recreated DNS Sec for 3 Domains exactly the same way and did an update at DENIC, Check them from sever DNSSEC test suites all OK.
No I realize that 1 domain, gladfully the most importend extents the expiration date, two other do not.
The system log in debug says
Nov 30 17:10:04 admin named[13251]: validating @0xb3a41ed0: . SOA: no valid signature found
Nov 30 17:10:04 admin named[13251]: validating @0xb3a41ed0: . NSEC: no valid signature found
Nov 30 17:10:04 admin named[13251]: validating @0xb3a41ed0: spreadbetting NSEC: no valid signature found

further hints?

Rainer

 

Still no response, no idea, no help, no hint

Rainer

 

Looking at table DNS_SOA the serial of all three domain is equal and at actual date, the dns_last_singed ist equal too. All other values are the same, but only one Domain advances the expiration date. Looking at /var/lib/bind the pri.domain and the pri.domain.signed has the same actual date on the working domain, on the not working domains the pri.domain files have actuel datel the pri.domain.signed not. Owner of the pri.domain.signed files on alle 3 domains is root:root while the pri.domain files of the three domains are owned by bind:bind.
So I can't find no real difference. Remember every domain is on the same server haveing bind installed, which is the admin server too in a multiserver enviorement, every server is debian jessie latest patches

Rainer

 

all sec.domain files on the slave /etc/bin/slave have actuell date but different time and are owend by bind:bind
DNS Checks say SOAs of master and slave are consistant. There are no .signed records on the slave. I agree ispconfig works regarding updateing the database, but there seams to be a problem updateing the dns files, which is funny as one ist updated butt two others not, they are in the same directory and have the same owner

Rainer

 

It is not a master slave setup it is just a primary an secondary DNS setup.
DNS Check from dnsstuff.com reports on the failing domain

and on the working domain

Field in the database working domain

and from the not working domain

Still there is no problem in Bind as it updates the secondary DNS if there a new resource records.
The problem is that the expiration date of muekno.de DNSSEC is advanced correct in the database and the finaly bind files, while the expiration of naec.de is not. indns.com does not indicate error but seam to not check dnssec.

ISPConfig does only write the files for one domain (muekno.de) correct, but not on another (naec.de)
Rainer