Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

DNSSEC PowerDNS in cPanel with non-PowerDNS (and non-cPanel) slaves

Discussion in 'Bind/DNS/Nameserver' started by SunnyInMTL, Jan 20, 2018.

  1. SunnyInMTL

    SunnyInMTL Member

    Joined:
    Jan 3, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Hello,

    I have my master nameserver on a cPanel server with PowerDNS. I then transfer the zones via AXFR to the slave servers of a third-party service and everything is working well, except today I noticed that the RRSIG signatures expired and the domain name is not resolving anymore.

    From the documentation: DNSSEC with PowerDNS:

    "If your DNS setup uses non-PowerDNS slaves, the slaves need to know when the signatures have been updated. This can be accomplished by setting the SOA-EDIT metadata for DNSSEC signed zones. This value controls how the value of the SOA serial is modified by PowerDNS."
    What would be the ideal way to achieve this with cPanel? Should I perhaps setup a CRON script to update the SOA serials every X days?
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    DNSSEC is incompatible with DNS Clustering with PowerDNS as provided through cPanel. It's unsupported, however there's a user-submitted workaround on the following feature request that appears to match what you are looking for:

    DNSSEC support in Clustering

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. SunnyInMTL

    SunnyInMTL Member

    Joined:
    Jan 3, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    The issue I mentioned is not related to the nsec3's narrow version. I already had set the narrow setting to 0 and got AXFR working with the slave servers.

    This is another issue, related to the expiration of RRSIGs.

    By manually updating the SOA serials, I got it fixed; however, having an automatic solution would be more ideal.

    From the PowerDNS documentation:

    As RRSIGs can expire, slave servers need to know when to re-transfer the zone. In most implementations (BIND, NSD), this is done by re-signing the full zone outside of the nameserver, increasing the SOA serial and serving the new zone on the master.
    I suppose then the solution of having CRON update the SOA serials every X days is the most viable one.

    Now I need to figure out the X and find out when do RRSIGs expire.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Thank you for the additional information. Regarding the increase to the serial in the zone file, there's a post here you may find helpful if you need help with your custom script:

    Bulk DNS Zone Update

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. SunnyInMTL

    SunnyInMTL Member

    Joined:
    Jan 3, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Thank you for the link to the bulk dns zone update script.

    I was thinking, instead of using a perl script and directly replacing the SOA serials in the *.db files, could I perhaps update the serials with API2's ZoneEdit (cPanel API 2 Functions - ZoneEdit::edit_zone_record - Software Development Kit - cPanel Documentation) ?

    For example, I could edit a zone record (can be a fake one or an actual one) and simulate an update without actually modifying anything. This should also update the SOA serial. Would you recommend doing this?

    To fetch all domain names, I could use WHM API1's listaccts (WHM API 1 Functions - listaccts - Software Development Kit - cPanel Documentation), then loop over each account's domains with UAPI's DomainInfo::list_domains (UAPI Functions - DomainInfo::list_domains - Software Development Kit - cPanel Documentation).

    This method might not be good for performance as it will need to do many queries, but is it more reliable?
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Yes, I do recommend using our API for this purpose if possible. It might take a little more development work, but the use of our API is generally preferred over custom bash commands.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. SunnyInMTL

    SunnyInMTL Member

    Joined:
    Jan 3, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    After more research, I don't think I will need to automatically update the SOA serials.

    PowerDNS has a native feature called SOA-EDIT (Domain Metadata) that allows to serve a modified SOA serial to DNS queries while keeping the SOA serial intact in the datastore.

    If I configure the default-soa-edit-signed (List of Settings) in etc/pdns/pdns.conf, will cPanel be able work with it?

    Code:
    default-soa-edit-signed=INCEPTION-INCREMENT
    It mentions that inception-increment "requires your backend zone to use YYYYMMDDSS as SOA serial format. Uses localtime to find the day for inception time."

    Is YYYYMMDDSS the default SOA serial format of cPanel? My current SOA serial is set to 2018010708, so I think it is indeed following the required format.

    I will try to test it; I modified pdns.conf and restarted the DNS server; time to wait for RRSIGs to expire.
     
    #7 SunnyInMTL, Jan 24, 2018
    Last edited: Jan 24, 2018
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Yes, you are welcome to make configuration changes to the /etc/pdns/pdns.conf file. Restarting the service after making the changes should enable them, however keep in mind such changes are unsupported so it's not something we can generally troubleshoot if it doesn't work as expected.

    Yes, that's the default SOA serial format utilized by cPanel. Additionally, you can always change the zone template if necessary:

    Edit Zone Templates - Version 70 Documentation - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. SunnyInMTL

    SunnyInMTL Member

    Joined:
    Jan 3, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Is there any way to modify the format of %serial%?

    For example, is it possible to keep the SS part (revision number) below 98?
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    It's not possible to modify the functionality of the template variables in the DNS zone templates. You'd need to develop a custom script that updates the values and configure it to run via a hook upon each DNS zone modification/addition.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice