Hello all, It has been a while since I heard about DNSSEC and Mirror servers. i understand that it does not work with mirror dns server. however some domain name extensions require at least 2 dns servers. Now my question is anyone who knows if there is another way to get DNSSEC and multiple dns servers working? We really need DNSSEC so I hope there is a solution, I would love to hear it
There is such a way: 1) Create the dns zone in ISPConfig and choose first name server as target server. 2) Create a secondary zone in ispconfig for the domain and choose the second server as target. BIND will do the mirroring then automatically, so the secondary zone needs just created once in ISPConfig and it will mirror the primary zone then.
That does not work in multiserver scenarios, as i guess he means. For that is to work, you must turn off mirror in services first, else it will mirror and you cant add secondary.
It works fine on multiserver systems and it even requires the setup to be a multiserver system, but you can't use it on mirror systems, that's right. He must either turn off mirroring between the DNS nodes or he must add another DNS node to that multiserver setup that is not mirrored from master. As DNS nodes don't require much cpu power and you get small cloud servers at a rate of about 2.5 EUR today, adding another DNS node is probably an option if you can't turn off mirroring for other reasons.
Its not about throwing more DNS-servers at the cluster, but fix it for mirrored we already got. I guess its this: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4179 We are many waiting for this ;-) I would donate money if this gets fixed faster for mirrored DNS.
I have a setup like this, with a cheap cloud server as secundary NS. It does require some extra work for each domain to set up, but it works. Several DNSSEC issues are awaiting someone to solve them. I really hope someone will pick this up asap
personally, i don't like the idea with slave-zones just for dnssec. bind will repliacte everything by itself as long as the zone exists on the bind-slave. if you create a new zone (or delete a zone), you can ssh to the slave(s) and update the config-file. i use a small plugin to update the slaves automaticly.
