In Progress BWG-3537 - No DNSSEC on cPanel subdomains

[DennisMidjord]

Okay, this might be difficult for me to explain, but I hope it's understandable.

We've just configured DNSSEC for our primary domain (let's use example.com as an example). DNSSEC for example.com was fully working.
After a while, a customer contacted us, stating they had issues with accessing cPanel on server1.example.com - and looking into it, server1.example.com didn't even respond to DNS queries because the domain wasn't configured with DNSSEC keys.

Disabling DNSSEC on example.com fixed the issue (after a few minutes).
Why is it that no keys are setup for the subdomains that we use for cPanel? What do we need to do to fix this?

 

[cPRex]

Hey there! Did the subdomains have a unique zone file from the parent domain? As in, did sub.domain.com had a separate zone file than domain.com? If so, we have an article on how to make sure those get setup with DNSSEC here:

Enable DNSSEC for a subdomain zone

Introduction This article discusses the steps needed to authorize DNSSEC validation for a child zone of a subdomain. Procedure Sometimes it becomes necessary to separate a subdomain into it...

support.cpanel.net

You can check the DNSSEC setup using the details here:

How do I know if DNSSEC is enabled on a domain?

Question My domain resolves on some networks but not in others, and I've ruled out a firewall, network issue, and propagation. What might be causing the problem? Answer Domain owners typically en...

support.cpanel.net

Let me know if that isn't exactly what you were experiencing and I can try and get you more applicable information.

 

[DennisMidjord]

Did the subdomains have a unique zone file from the parent domain?

Yeah, they do. Is there any way to not have this done? It seems that cPanel does this automatically when we setup the server.

Edit: Oh, I actually see that it's apparently only one server that has it's own zone (server1.example.com). We have a lot of other servers where this is not the case. How come?

 

[DennisMidjord]

Alright, I might need a bit more of your help, @cPRex.
Our name servers are on the same domain as our "main" domain (example.com). These are called ns1.example.com, ns2.example.com and ns3.example.com.
How would we define DS keys for those? Wouldn't it cause loops if we defined NS records for ns1, ns2 and ns3 in the example.com zone and pointed them to... well, ns1, ns2 and ns3?

Couldn't we just remove the zones for ns1, ns2 and ns3? A and AAAA records are defined for these in the example.com zone.

I tried to define DS records in the example.com zone, but I couldn't select anything but 1-Sha-1 as digest type, no matter what algorithm I chose.

 

[cPRex]

Yes, I always recommend removing zone files that are just for the nameservers and managing everything through the main "domain.com" zone.

Can you get me more details on the digest type issue so I can test that?

 

[DennisMidjord]

Yes, I always recommend removing zone files that are just for the nameservers and managing everything through the main "domain.com" zone.

Alright, I'll work on that tomorrow. Thanks! What's the reason that some servers has their own zone file created (eg. our server1.example.com and ns1, ns2 and ns3)?

Can you get me more details on the digest type issue so I can test that?

Yes, sure. See this gif: https://i.imgur.com/iRAkGZr.gif

 

[cPRex]

For the nameserver question, let's use ns1.domain.com as an example. If you have this nameserver setup in WHM, but you have not created domain.com on the system yet, clicking the "Conifgure address records" button in the WHM >> Basic WebHost Manager Setup page will create the ns1.domain.com zone files. This allows them to resolve in DNS even without the main domain.com zone existing.

Videos and screenshots? All the time. But this is my first gif in many years of support :D

The DS record gets based off the DNSSEC key that was originally created, so it's possible that is the only digest available for your particular key.

 

[DennisMidjord]

The DS record gets based off the DNSSEC key that was originally created, so it's possible that is the only digest available for your particular key.

I'm just generating everything through cPanel.
I went to the server1.example.com DNSSEC management interface, created the keys. Then I went to example.com zone, set NS records for server1 to point to ns1.example.com, ns2.example.com and ns3.example.com. After this, I tried creating the DS keys - but I couldn't choose the right algorithm.
I'm still having that issue.

I'm also not able to see any of the existing DS records for our root domain (example.com) through WHM > Zone Manager.
When looking in the DNS zone file on our name server, I see that the DS records are configured like this:

example.com.    86400   IN      TYPE257 \# 17 <hidden>
example.com.    86400   IN      TYPE257 \# 19 <hidden>

If I create a new DS record, it's appearing as DS instead of TYPE257.

 

[cPRex]

Alrighty - I see where my confusion was. You were looking in WHM and I was looking in cPanel.

I also only see one digest option on my end so I'm looking into this now and I'll update you soon.

 

[cPRex]

I also am only seeing one option on the dropdown when I do my testing. I'm going to speak with our developers on this to see if they can get me more details on how that is supposed to work, or if this is an issue with the interface. It might be a bit before I hear back, but I'll mark this ticket as "In Progress" so I don't miss it. I'll update it as soon as I get a reply, but it might be a few days, especially with the weekend coming up.

It's also worth noting that you can still see the automatically-created DS records within the DNSKEYS area of the Zone Editor in cPanel, so if you need to copy those over to your registrar you can.

 

[SimpleTechGuy]

Hi, resurrecting this old post. I was going through the server and rotating keys and realized that I ran into this problem a long time ago and just decided not to fix it, but now I really want to get dnssec working properly. Pretty much exactly the same issue here. Just wondering if this was solved or if there is a workaround.

Basically my whm was set to server.example.com and whmcs runs on example.com. Need to setup dnssec for server.example.com but trying to add ds record to example.com for server.example.com I need to use algorithm 13 and sha-256 digest type but it's not available.

Thanks!

 

[cPRex]

@SimpleTechGuy - in one of my earlier replies, I linked this article:

Enable DNSSEC for a subdomain zone

Introduction This article discusses the steps needed to authorize DNSSEC validation for a child zone of a subdomain. Procedure Sometimes it becomes necessary to separate a subdomain into it...

support.cpanel.net

Is that not sufficient to get things working on a subdomain?

 

[SimpleTechGuy]

Hi @cPRex thanks for following up. The problem is that when you follow those steps you run into this problem where not all of the options are available in the zone manager when adding the DS record. I need to use algorithm 13 and Digest Type sha-256 (algorithm 2).

Here is a gif posted by @DennisMidjord:

https://i.imgur.com/iRAkGZr.gif

 

[cPRex]

Thanks for that clarification. I've reached out to the DNS team and I'll let you know what they say when I hear back. This one will likely be a few days.

 

[SimpleTechGuy]

Thanks for that clarification. I've reached out to the DNS team and I'll let you know what they say when I hear back. This one will likely be a few days.

Thanks! I'll follow up in a few days. Really appreciate the help here.

 

[cPRex]

Sure thing!

 

[cPRex]

Update - I'm hoping to hear back today about this one.

 

[cPRex]

Alright, our team has opened an internal case with the developers to see what all we need to do to make this happen on our end. I'll continue to post updates as I get them.

 

[SimpleTechGuy]

Excellent, thanks so much for keeping active on this. Hoping it's an easy fix!

 

[SimpleTechGuy]

Hi, just following up. Do you think this is something that might be figured out soon, or should I look start trying to find another solution?