DNSSEC : unsigned zone

Discussion in 'Developers' Forum' started by francoisPE, Sep 27, 2021.

  1. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Hello,
    on ISPC 3.2.6 with ubuntu 20.04 servers
    I create DKIM record through API.
    dbispconfig seems ok, and pri.domain.tld is created with DKIM record inside.
    But, this record is not in my pri.domain.tld.signed.
    I run API dns_zone_update function. I can see that pri.domain.tld is new.
    But, no pri.domain.tld.signed file.
    I try grep name /var/log/syslog... Nothing visible.
    Any idea ?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Enable server debugging, change something in that dns zone, and run server.sh manually to see what is going on. Post the results here if you need further help identifying the problem.
     
  3. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I found out that 'sign zone DNSSEC' toggle in DNS zone was disabled... So, it doesn't sign ! Very logical...
    I don't know why this toggle was disabled...
    Normally, I drive my config by API only...

    thanks a lot for your help !:)
     
    Last edited: Sep 27, 2021
    Jesse Norell likes this.
  4. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Finally, this is an issue in my script...
    I turn to debug, run server.sh
    it gives
    Code:
    27.09.2021-19:28 - DEBUG - safe_exec cmd: cd '/etc/bind'; named-checkzone 'client102.fr' '/etc/bind/pri.client102.fr' | egrep -ho '[0-9]{10}' - return code: 1
    27.09.2021-19:28 - ERROR - DNSSEC Error: Error in Zonefile for client102.fr
    
    I try
    Code:
    cd '/etc/bind'; named-checkzone 'client102.fr' '/etc/bind/pri.client102.fr'
    zone client102.fr/IN: loaded serial 2021
    OK
    
    I understand I have to look at my zone definition... but what ?
    My script is signing correctly (Mx, spf, ...) before DKIM record entery...
     
  5. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I think I find it out.
    In my DKIM pub key, there is "" (twice double quotes), these seem to disappear
    Code:
    $dns_record = str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$dkim_public);
    $dns_record = str_replace(array("\r\n", "\n", "\r"),'',$dns_record);
    $dkim_txt = 'v=DKIM1; t=s; p='.$dns_record;
    and
    $params = ... 'data' => $dkim_txt, ...
    
    It seems to be at $params level (\" requested ?)
     
    Last edited: Sep 27, 2021
  6. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I solve my issue
    I had LF in my pubkey. My str_replace were not as appropriate.
    Now it works :)
     

Share This Page