running centos 8. I have noticed before but just ran into this again. if you have SIGNED your dns zone, updates do NOT get propagated upwards! my secondary dns is set to be updated automatically. but it has not been updated for a while. doing a retransfer (having the backup contacting ns10.cdbsystems.com) returns a NOAUTH error - my server rejects the request even though its (backup dns) ip is listed under both also notify and allow transfers. and doing an update on ns10 results in no change in backup server. and the changes are not reflected in the big bad DNS world... now when I UNCHECK the signed box and make a change (put in a bogus A record) - the backup dns is updated immediately and retransfers/refresh requests are honored! also I had added a new A record 2 weeks ago (nslin) on ns10 - and it has never been propagated. as of this morning - ping could not find host. but after doing the uncheck 30 minutes ago -- suddenly nslin is pingable! something is not right here.... any ideas???
DNSSEC on mirrored setups has never been supported, because we can't transfer the keys with the classic ISPConfig mirroring. No one has picked up development for a special mirroring for DNS.
Do you use ISPConfig mirroring or BIND mirroring (via a slave zone)? Like @Th0m mentioned, DNS mirroring via ISPConfig's internal mirroring system is not supported for DNSSEC. But Bind mirroring with ISPConfig (where you create a primary zone on the first DNS server using ISPConfig and a slave zone on the secondary server via ISPConfig) works fine with DNSSEC.
the backup dns is not ispconfig. but works fine with the also-notify fields. but not if dnssec is enabled. if I want to create my own backup-dns (ispconfig on another Debian12 server (LISTENING, TILL?? ARRRGH). I assume there is a tutorial somewhere?
If your secondary server is a BIND server, then it should work out of the box, you just have to create a slave zone on the secondary server in BIND. But of course, you can replace it with an ISPconfig slave DNS node if you want, see multiserver tutorials: https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/6/
Ok I may experiment with that. now to my centos -> debian migration - I have ns10 (centos server at 192.168.2.20) and ns11(debian server at 192.168.2.15). they have different public ip addresses. I've migrated all from ns10 to ns11. doing it again now. ns11 is using certbot instead of acme (as we migrated from certbot machine). current all A record ips point to ns10 on both servers. how I would like to rename server ns10 to ns5 and ns11 to ns10. ns10 ip address would change at godaddy. requires percolation. but all A record ips still point to the ns10 server. so this process can be done safely without affecting any websites or mail flow. all accesses would keep going to the ns10 server by ip address even after ns10 changes public ip (to match ns11 current public ip) when I change ns11 to ns10 under debian I change /etc/hosts and hostname. anything else to change host? and change inside ispconfig? but I also need to recreate all LE certs for the system. current certs are for ns11 obviously). is this where ispconfig update --force would come in? and if I then operate in phpmy admin on the dns A records to change ns10-ipaddress to ns11-ipaddress and force a resync. we would be good? on ns10 (which I would rename to ns5 - which already has the old ns10 ip in it) - I need to do the same phpmyadmin changing the dns A records - butonly if old ns10 continues to be a nameserver. if not, dont care. Have I missed anything?
one more thing I have a recollection I purchased the billing module years ago. any way to check that? may have deleted the email
You asked me this by email, and I sent you the billing module on Oct 23. You asked again in the plugins forum yesterday, and I explained there that I had sent it to you on Oct. 23. I've just sent it a second time now.
thanks - I had not seen it I'll dig it out.. thanks for all the help. I think I will repurpose one of the servers as backup dns so that dnssec will work hopefully!