So, i want to make use of DNSSEC. But as i understand from previous posts, it's not supported when running 1x main ISPC and 1x secondary ISPC server with just DNS. So, how do i switch this to a secondary DNS server? Any tutorial or how-to on this?
No, that's not the problem, You can use DNSSEC in a multiserver system. What you can't use is mirroring for DNS. You have to create the primary and secondary record for a zone in ISPConfig DNS manager when using DNSSEC and switch off automatic DNS mirroring.
So, it's not like turning on DNSSEC and the records are auto generated? How do i remove my 'mirror' server and have it make use of 'also notify' option? Or is that not possible? Went to the server and turned 'is mirror' to none. Do i have any other actions i should do?
That's not what I said. The DNSSEC records are auto generated. I said you can't use server mirroring. Yes, from my first answer:
You have to choose the right server. The primary record gets created on your first DNS server (the primary DNS server) and for all secondary DNS servers, you create a secondary DNS record. Take care to allow zone transfers to the IP of the secondary server in the zone settings of the primary zone.
Alright, i got it. I moved the existing pri.domain.tld files to an folder called _old Code: cd /etc/bind mkdir _old mv pri.* _old/ I had to edit the file named.conf.local so that there were no zones in it, restart bind9 Then i edited the DNS zones to have both my servers in zone transfer, updates and notify. Then created the secondary zones. Seems to work
@till So if this is the data shown in the DNS Manager (randomized ofcourse) I put the data from the ZSK and KSK at my domain registar right? Then it takes about 24 hours before i see my new records appear? Code: DS-Records: mydomain.tld. IN DS 46164 7 1 5lASDFLKJ2461JL1KJ147ASDJKLBA mydomain.tld. IN DS 46164 7 2 C809ASH0897A987ASDG98ADH9AH98EC6BE59ED3380EF5CBD80BB67422 7GF4ADE43 ------------------------------------ DNSKEY-Records: ; This is a zone-signing key, keyid 44915, for mydomain.tld. ; Created: 20191229182902 (Sun Dec 29 18:29:02 2019) ; Publish: 20191229182902 (Sun Dec 29 18:29:02 2019) ; Activate: 20191229182902 (Sun Dec 29 18:29:02 2019) mydomain.tld. IN DNSKEY 256 3 7 KslkjrdghlkjwJjasdlbkjaJAKJnalkja45jakf97tTn5Q5rlSE92vX2 JMdcvu/KgLigsSVbYZOqzXqE9VVeNCLAbzLxqM0stehUIdfSvQhvhmxf E+AIiD+LMkLx1CanRQfFc2E5UZABKnlRPExt39BKJmEiu1k85bqitSXF 8uElAhksjfnZbPJmgMRtdgPc/4xqwSqH8NR1XPgIK83IwQrnaJ/zRJ5r 5Gff9ff6TEdNPilcV7Pr7volVGypYqmAsOcBZkQdZIuS+orP2FjYHCY1 k0d3rf78HPTtFz1r0RTssORPhD5FL55kDHZq5ivWYcedQ7H5MYOv4jXR rUbzpuVbdX8= ; This is a key-signing key, keyid 46164, for mydomain.tld. ; Created: 20191229182903 (Sun Dec 29 18:29:03 2019) ; Publish: 20191229182903 (Sun Dec 29 18:29:03 2019) ; Activate: 20191229182903 (Sun Dec 29 18:29:03 2019) mydomain.tld. IN DNSKEY 257 3 7 KslkjrdghlkjwJjasdlbkjaJAKJnalkja45j+1+4OZFEXSOUg//swyza 5yCnl/RTiwP5jh++VqpYpdC64iWvvvzMhItE5zO4UIl05c9P70pSq6Ul 9zij9LWEdbx/WRZriyqgdvU9Fe+Aunk9wR0g1hZsqE8buooJfstxzk07 VehlIpRFPJGY0y94owWQchPZBklFxPtqX0VlTa2IkO8mqGYLKuWPll+y e1gcgOri42LSzyCGru/8z8RT5o8/hOVcBVhjflh6+U+8682h8oDal4AF zbetoM7ovjlCGLoiJ53oRzFjGwQYaRgVWffDOuNsZGwKGhITGi+GhR30 A4WHgprj4U0BfRjNbcPNdk+bfBonvAsUsCIOBibbS7Ugm3BR/WZUJMTr LzNU3AtClbmOiJJkcdf4psJhJpK13qRDCK6EmyCcBClUgWZGaU3x53Sh 4GsikmWJkGh79SfREKRFWvH8dvNubu4L+zI1Dgy/Y/WSGnHvO//wwUPW WG/hB93JNJjz6+EnuCTGXlG56bgYTVC2otWsOB8vzB0XtM/dy4pxEAvH aI82saQpf/OUhDR/FmmOBdIDzHklm9WES/JdaBpvgXSCXDINxAQ66Ivp 0dZBoP2cJbTYZfCi3VKBA2GaIkYQnCJEfHAWDS3o5Tw7/Hx6GcCoHcHP CapfYqIlcptACM+H Second DNS servers sec.domain.tld files arent readable. That is correct yes? Not really clear on which data i have to fill in @ transip.nl. They ask for keytag. Do i only enter the KSK? And what is the data? Is that the stuff from DS records? Then it just keeps saying wrong KSK tag
Okai, so i had a 'multiserver' setup. Basicly 1 host for all services and 1 secondary DNS server which was mirroring the DNS from the primary. Since i wanted DNSSEC i created this topic, as i had done before in the past i noticed later on Sorry @till , and required some help. After misreading a few times, here is what i did: System -> Server Services -> Secondary server Keep DNS checked, at bottom set "Is mirror of Server" to -None- Go to DNS - > Secondary Zones -> Add New Seconadry Zone Server: Secondary Server Client: right client DNS zone: domain.tld. (don't forget last dot!) NS Ip address: I used same as i did for my primary zone Allow zone transfers to these IPs (comma separated list): Primary server Go to DNS -> Primary Zones -> Select Zone Set Allow zone transfers to these IPs (comma separated list): Secondary I set Update ACL to both DNS servers but i think you only need 1 I put secondary in Also Notify but i dont think you need it I think you should be good now to turn on DNSSEC. Over at TransIP i had to fill in the KSK and ZKS public data.
