DNSONLY questions

In my mind the DNSONLY documentation / Cluster Configuration documentation absolutely does not explain how to achieve what I'm wanting to achieve.

1. For now, I want to use the primary IP of each CPANEL hosting server as the primary nameserver

No problem here, already doing this.

2. I'd like to use a DNSOnly server as the secondary nameserver for all CPANEL servers

3. I don't want any CPANEL servers to know about any DNS zones from any other servers.

This seems like this is how it should be. But if this cannot be accomplished, I'd ask that somebody help me to understand why it shouldn't be this way.

Below is a description of my setup and what i expected [just testing now].

cp1 through cp5 CPANEL servers are handling primary nameserver chores on each server respectively.

On the DNSONLY box I enabled clustering. I did NOT add any trust relationships / CPANEL servers or DNSONLY servers under the DNS Cluster section on the DNSONLY box.

On cp5 I enabled DNS Clustering. then, on cp5 I went and added a new server to the cluster. I set the backend as "cpanel". I entered in the hostname of the DNSONLY server. I entered in the access hash from the "Remote access key" area of the DNSONLY box. I set the DNS Role to "write-only". I UNcheckmarked the "setup reverse trust relationship" box and created the server association.

cp5 has been successfully syncing records, one-way, TO the DNSONLY server for many many months now.

Today, I logged into cp4 and enabled DNS Clustering. Then, on cp4 I went and added a new server to the cluster. I set the backend as "cpanel". I entered in the hostname of the DNSONLY server. I entered in the access hash from the "Remote access key" area of the DNSONLY box. I set DNS Role to "write-only". I UNcheckmarked the "setup reverse trust relationship" box and created the server association.

On the DNSONLY box no servers show up under DNS Clustering -- and I would not expect them to.

On cp4 and cp5, the DNSONLY box shows up as a server under DNS Clustering, "write-only". That is what I would expect.

In the end it was my expectation that cp4 and cp5 would sync records ONE-WAY _UP_ to the DNSONLY box. That seems to be working. On the DNSONLY box I see the DNS Zones from cp4 and cp5.

On cp4 and cp5, in /var/named, the only DNS zones I see anywhere are ones local to the machine -- meaning that on cp4 I see _only_ locally hosted website domains in /var/named/* and on cp5 I see _only_ locally hosted website domains in /var/named/*. Again, this is what I would expect/hope.

Now, here is where the confusion comes in...

If I log into cp4's WHM and go to "Edit DNS Zone", I see a list all of all of the local DNS zones from cp4 PLUS all of the DNS zones from cp5. Conversely, if I log into cp5's WHM and go to "Edit DNS Zone", I see a list of all of the local DNS zones from cp5 PLUS all of the DNS zones from cp4.

I understand how/why this would be. There are no servers configured under DNS Cluster on the DNSONLY box. And on cp4 and cp5 there is just one server configured, the DNSONLY server -- and the configuration is "write-only" and, when I initially set those associations up, I specifically unchecked the box to "setup reverse trust relationship."

So presumably, there would be no way for cp4 to see/access/edit any of cp5's domains, or vice versa.

I don't get it. I'd really like some enlightenment from somebody at cPanel regarding this.

a. IS this expected behavior?

Maybe this is how it should be and maybe I'm just not understanding the ramifications of having [what I expected] absolute isolation of cp4 and cp5 zones so that one couldn't see/edit cp4 zones in cp5's "Edit DNS Zone" and vice versa.

b. I simply would not expect cp4 to be able to see a list of cp5 zones, and vice versa, considering there are no servers configured in DNS Cluster on the DNSONLY box AND there is not supposed to be any reverse trust.

Please help me to understand this, cPanel folks.

Thanks!

Mike

 

To be clear about my real questions...

I don't see cp5 DNS zones in /var/named on cp4, and I don't see cp4 DNS zones in /var/named on cp5. That's great. I wouldn't expect to see that, and wouldn't want to see that.

I also don't "care" that cp4 can see cp5's DNSs in cp4 WHM --> Edit DNS, and vice versa... as long as the actual DNS zones from cp4 aren't showing up in /var/named on cp5 and vice versa.

1. given the fact that (a) there is supposedly no reverse trust relationship set up and the DNSONLY server has NO server associations listed under "DNS Cluster", how in the world does every cpanel box have the permission / ability to see/edit DNS zones from other servers. Sounds like there is a reverse trust set up somewhere.

NOTE: Even though I can log into cp4 WHM, go to "Edit DNS Zone" and see mydomain.com (which is on cp5), I cannot edit it. It says "Failed to fetch zone mydomain.com.db". So I guess that makes sense, since there is no reverse trust.

I'm just baffled at why a list of all domains from the DNSONLY box end up showing up under "Edit DNS Zone" on individual machines.

2. If this is expected behavior, please help me to understand why individual CPANEL servers should be able to see a list of all of the domains on the DNSONLY box when logged into the local CPANEL server WHM - Edit DNS Zone.

3. And since I didn't set up a reverse trust relationship, I'm now wondering if I should.

If i did set up a reverse trust relationship when adding the DNSONLY server to each CPANEL box under DNS Cluster, does that mean I would then (a) be able to see a list of all domains on the DNSONLY server AND (b) be able to successfully edit them?

4. How would cPanel recommend that this be done, knowing that:

- cp1 through cp5 are at one location
- DNSONLY is at another location
- I'd like to use the DNSONLY for secondary nameservice for cp1 through cp5

I think I'm doing it the recommended way (given that I only have one DNSONLY box). But I am now curious about whether there should actually be a reverse trust.

Thanks

Mike

 

Should be interesting. As we discussed, not only does "Edit DNS" on any of the boxes show ALL zones on the DNSONLY box, but it doesn't differentiate between which ones are local and which ones are not. So unless you know every domain you host and on what server it is hosted off the top of your head, you have to actually click on a domain and attempt to edit it just to know whether it's local or not. If you can edit it, it's a zone from the local server. If you can't edit it, it's a zone from another server [but you dont know from which other server].

Mike