how do I get DNSSEC to work

Discussion in 'Installation/Configuration' started by nokia80, May 14, 2020.

  1. nokia80

    nokia80 Member

    Hello all,

    It has been a while since I heard about DNSSEC and Mirror servers. i understand that it does not work with mirror dns server. however some domain name extensions require at least 2 dns servers.

    Now my question is anyone who knows if there is another way to get DNSSEC and multiple dns servers working? We really need DNSSEC so I hope there is a solution, I would love to hear it
    elmacus likes this.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There is such a way:

    1) Create the dns zone in ISPConfig and choose first name server as target server.
    2) Create a secondary zone in ispconfig for the domain and choose the second server as target.

    BIND will do the mirroring then automatically, so the secondary zone needs just created once in ISPConfig and it will mirror the primary zone then.
    elmacus and ahrasis like this.
  3. elmacus

    elmacus Active Member

    That does not work in multiserver scenarios, as i guess he means.
    For that is to work, you must turn off mirror in services first, else it will mirror and you cant add secondary.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    It works fine on multiserver systems and it even requires the setup to be a multiserver system, but you can't use it on mirror systems, that's right. He must either turn off mirroring between the DNS nodes or he must add another DNS node to that multiserver setup that is not mirrored from master. As DNS nodes don't require much cpu power and you get small cloud servers at a rate of about 2.5 EUR today, adding another DNS node is probably an option if you can't turn off mirroring for other reasons.
  5. elmacus

    elmacus Active Member

    Th0m likes this.
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I have a setup like this, with a cheap cloud server as secundary NS. It does require some extra work for each domain to set up, but it works.
    Several DNSSEC issues are awaiting someone to solve them. I really hope someone will pick this up asap :)
  7. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    personally, i don't like the idea with slave-zones just for dnssec. bind will repliacte everything by itself as long as the zone exists on the bind-slave. if you create a new zone (or delete a zone), you can ssh to the slave(s) and update the config-file. i use a small plugin to update the slaves automaticly.
    ahrasis likes this.

Share This Page