Sign dns zone / dnssec not available

Discussion in 'Installation/Configuration' started by ispcomm, May 26, 2021.

  1. ispcomm

    ispcomm Member

    I'm trying to enable dnssec and zone signing on an old dns server, which is part of a multiserver setup.
    It was installed some years ago, but it is up to date on ispconfig 3.2.4 and services were reconfigured
    It runs bind9 on buster. There seem to be dnssec support in named.conf.option.
    named.conf.options: dnssec-enable yes;
    named.conf.options: dnssec-validation yes;
    named.conf.options: dnssec-lookaside auto;
    However, there's no "sign zone" field in the zone settings on any old or new zone.
    I think I'm missing something obvious but have no clue what.
    Any ideas?
    Thank you.
  2. ispcomm

    ispcomm Member

    Ok, so reading the source, it seems that dnssec signing is only available for primary dns servers, that have no mirrors in ispconfig.
    I'm using a secondary which is a mirror of the primary, so bummer.
    My guess is that this has something to do with the signing of the zone/records that can only be done with a single key, from the primary and can thus be only mirrored on the secondary via the standard dns mirroring procedures.
    Now, some script-fu would be in order to detach my servers and create the secondary zones for the secondary server.
    As an alternative, would it be possible to somehow copy the signing keys from the primary dns server to the mirroring dns server(s) and have them sign their own "primary" zones with the same keys as the primary dns server? I'm not fluent at all with dnssec and I hope I have not said something obscene.
    Please comment.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Exactly, you can setup (and even automate) your zones to be on a primary server, with slave zones for any/all secondary servers.
    That is basically what needs done to make mirrored servers work with dnssec. All servers must use the same keys, so they have to be copied around; ISPConfig does not currently have any way to do that securely (ie. handle the data encrypted, rather than storing the private keys in the database in the clear and passing those around).

    Thanks to @florian030 the work to do the former is almost entirely done for you already, read through then go get Florian's and tweak whatever settings are needed.
    ispcomm likes this.
  4. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    just let the primary sign the zones and send the signed zones to the slaves.
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    ispcomm likes this.
  6. ispcomm

    ispcomm Member

    Thank you for the quick answers.
    @florian030 I like your plugin.
    I already feel better!

Share This Page