I know you do not use DNSSEC as you postet earlier, but you implememted it. I added DNSSEC to my domain on 23.10.16. Now as some mailers reject my mail with "domain not found" (error 450 4.1.8) I did the DNS check from DNSSTUFF.COM and found out, that all is ok except the "DNSSEC SOA record date check" which has expired 29.10.16, that means just 16 days after creating. It is surely, not a DNS problem as the domain exists since years domain can be resolved, I think the error code is missleading and it is why the DNSSEC record has expired. First just 16 day ist not a good value Second where can I enter a better value Third who to update the DNSSEC records in ISPConfig, just disable and enable it and then updateing the record the record at DENIC. I think even with one domain it is not practible to have to update the records every 16 day, even the default in https://linux.die.net/man/8/dnssec-keygen is 30 days. Even more it is not practible if you have more or a lot of domains. Need solution Rainer
I do not use it and I did not implement it. If you have a request to change something in that function, then please post it in the bugtracker.
Sorry, but you seems to be the primary ISPConfig developer, you wrote the manual, which did not help here. I do not know if it is necessary to implement a new function or if a renewal is possible right now. I did some research and learnt the ZSK should be changed often, i.e. every month, so it will be nice to do this with cron i.e. I found al lot on the internet how to create the keys, but I am afraid to change something manualy, may be I disturb ISPConfig functions. This a I ISPConfig support forum, so is an easy answer but do net help. Who when not you implemeted that feature and can help. Thank you Rainer Seams even your mailer uses DNSSEC as I do no more receive your notifications sind my DNSSEC records are expirered.
You started your post with a false claim that I implemented this function and I corrected you in my post and you know already that I don't use it. But I know that a lot of people use it and as nobody else seems to have a problem with renewals, so it is most likely a configuration error on your system or domain or the daily ispconfig cronjob in root crontab is not running which executes the 550-bind_dnssec.inc.php cronjob at 3:30 every day that increases the serials. You can see in the bugtracker which developer developed which part of code, in this case the code includes "DNSSEC-Implementation by Alexander Täffner aka dark alex".
The is no cronjob, manualy starting php /usr/local/ispconfig/server/lib/classes/cron.d/550-bind_dnssec.inc.php results in But looking at cron.log I found but it seams it does not the job, as expiring date is still 29.10.16 So maybe Alexander Täffner aka dark alex will or can help Thank you Rainer P.S. Server running the primary DNS is the master server Server is Debian 8 i386 latest patches
Code: php /usr/local/ispconfig/server/cron_debug.php --cronjob=550-bind_dnssec.inc.php But you need Code: public function onPrepare() { global $app; parent::onPrepare(); } public function onBeforeRun() { global $app; return parent::onBeforeRun(); } public function onAfterRun() { global $app; parent::onAfterRun(); } in the cron-class (just after class cronjob_bind_dnssec extends cronjob { )
Hello Florian, first I inserted code direct after "class cronjob_bind_dnssec extends cronjob {" starting the script I just get finshed in terminal and cron.log, no SOA increment. Then I tried insert the code after the function I got the following message PHP Parse error: syntax error, unexpected 'public' (T_PUBLIC) in /usr/local/ispconfig/server/lib/classes/cron.d/550-bind_dnssec.inc.php on line 91 Perhaps I do still something wrong. need further help, thanks Rainer
That's ok. The cron-class was processed. There is no output on the screen. You can set the loglevel to debug to see messages in the system-log when soas are found and processed.
I think the right version is insert your code in the function, where I got no error. I opened a second terminal and did a tail -f /var/log/syslog but when starting the script nothing happens more than the normal outputs there. What log level do you mean, php loglevel or which one Thanks Rainer
Sorry for late response, hat be ill some day an had been in hospital it is funny I recreated DNS Sec for 3 Domains exactly the same way and did an update at DENIC, Check them from sever DNSSEC test suites all OK. No I realize that 1 domain, gladfully the most importend extents the expiration date, two other do not. The system log in debug says Nov 30 17:10:04 admin named[13251]: validating @0xb3a41ed0: . SOA: no valid signature found Nov 30 17:10:04 admin named[13251]: validating @0xb3a41ed0: . NSEC: no valid signature found Nov 30 17:10:04 admin named[13251]: validating @0xb3a41ed0: spreadbetting NSEC: no valid signature found further hints? Rainer
Looking at table DNS_SOA the serial of all three domain is equal and at actual date, the dns_last_singed ist equal too. All other values are the same, but only one Domain advances the expiration date. Looking at /var/lib/bind the pri.domain and the pri.domain.signed has the same actual date on the working domain, on the not working domains the pri.domain files have actuel datel the pri.domain.signed not. Owner of the pri.domain.signed files on alle 3 domains is root:root while the pri.domain files of the three domains are owned by bind:bind. So I can't find no real difference. Remember every domain is on the same server haveing bind installed, which is the admin server too in a multiserver enviorement, every server is debian jessie latest patches Rainer
Ok, so ispconfig seems to do it's work fine then for all domains. Did you check the domain which behaves differently with e.g. intodns.com? Maybe there is a problem that a slave dns does not load the updated data or something similar.
all sec.domain files on the slave /etc/bin/slave have actuell date but different time and are owend by bind:bind DNS Checks say SOAs of master and slave are consistant. There are no .signed records on the slave. I agree ispconfig works regarding updateing the database, but there seams to be a problem updateing the dns files, which is funny as one ist updated butt two others not, they are in the same directory and have the same owner Rainer
The slave dns servers are not ispconfig mirrors, they are just dns slaves, right? As dnssec can not work on a ispconfig mirror setup and the dnssec options are hidden then. And the dnssec record on the master is correct as well as you said. The mirroring of the dns data in a bind master / slave setup happens trough bind, ispconfig is not involvd in that. ISPConfig is only responsible to write the master file which has been done correctly according to your posts. So what remains is to find out why BIND is not copying the data to the slaves correctly and you should check the syslog file to find out if there are any bind errors in regard to copying the zones. You can also try to set the slave IP addresses in the slo notify field of the master zone.
It is not a master slave setup it is just a primary an secondary DNS setup. DNS Check from dnsstuff.com reports on the failing domain and on the working domain Field in the database working domain and from the not working domain Still there is no problem in Bind as it updates the secondary DNS if there a new resource records. The problem is that the expiration date of muekno.de DNSSEC is advanced correct in the database and the finaly bind files, while the expiration of naec.de is not. indns.com does not indicate error but seam to not check dnssec. ISPConfig does only write the files for one domain (muekno.de) correct, but not on another (naec.de) Rainer
Fine, so the mirroring is done by BIND in your setup. So differences between master and slaves are a matter of BIND sync problems, ispconfig is not involved in that. So the database data and the zone file on the primary DNS server is wrong for the second domain?