DNSSEC PowerDNS in cPanel with non-PowerDNS (and non-cPanel) slaves

[SunnyInMTL]

Hello,

I have my master nameserver on a cPanel server with PowerDNS. I then transfer the zones via AXFR to the slave servers of a third-party service and everything is working well, except today I noticed that the RRSIG signatures expired and the domain name is not resolving anymore.

From the documentation: DNSSEC with PowerDNS:

"If your DNS setup uses non-PowerDNS slaves, the slaves need to know when the signatures have been updated. This can be accomplished by setting the SOA-EDIT metadata for DNSSEC signed zones. This value controls how the value of the SOA serial is modified by PowerDNS."
​

What would be the ideal way to achieve this with cPanel? Should I perhaps setup a CRON script to update the SOA serials every X days?

 

[cPanelMichael]

Hello,

DNSSEC is incompatible with DNS Clustering with PowerDNS as provided through cPanel. It's unsupported, however there's a user-submitted workaround on the following feature request that appears to match what you are looking for:

DNSSEC support in Clustering

Thank you.

 

[SunnyInMTL]

Hi Michael,

The issue I mentioned is not related to the nsec3's narrow version. I already had set the narrow setting to 0 and got AXFR working with the slave servers.

This is another issue, related to the expiration of RRSIGs.

By manually updating the SOA serials, I got it fixed; however, having an automatic solution would be more ideal.

From the PowerDNS documentation:

As RRSIGs can expire, slave servers need to know when to re-transfer the zone. In most implementations (BIND, NSD), this is done by re-signing the full zone outside of the nameserver, increasing the SOA serial and serving the new zone on the master.
​

I suppose then the solution of having CRON update the SOA serials every X days is the most viable one.

Now I need to figure out the X and find out when do RRSIGs expire.

 

[cPanelMichael]

Hello,

Thank you for the additional information. Regarding the increase to the serial in the zone file, there's a post here you may find helpful if you need help with your custom script:

Bulk DNS Zone Update

Thank you.

 

[SunnyInMTL]

Hi Michael,

Thank you for the link to the bulk dns zone update script.

I was thinking, instead of using a perl script and directly replacing the SOA serials in the *.db files, could I perhaps update the serials with API2's ZoneEdit (cPanel API 2 Functions - ZoneEdit::edit_zone_record - Software Development Kit - cPanel Documentation) ?

For example, I could edit a zone record (can be a fake one or an actual one) and simulate an update without actually modifying anything. This should also update the SOA serial. Would you recommend doing this?

To fetch all domain names, I could use WHM API1's listaccts (WHM API 1 Functions - listaccts - Software Development Kit - cPanel Documentation), then loop over each account's domains with UAPI's DomainInfo::list_domains (UAPI Functions - DomainInfo::list_domains - Software Development Kit - cPanel Documentation).

This method might not be good for performance as it will need to do many queries, but is it more reliable?

 

[cPanelMichael]

Hello,

Yes, I do recommend using our API for this purpose if possible. It might take a little more development work, but the use of our API is generally preferred over custom bash commands.

Thank you.

 

[SunnyInMTL]

After more research, I don't think I will need to automatically update the SOA serials.

PowerDNS has a native feature called SOA-EDIT (Domain Metadata) that allows to serve a modified SOA serial to DNS queries while keeping the SOA serial intact in the datastore.

If I configure the default-soa-edit-signed (List of Settings) in etc/pdns/pdns.conf, will cPanel be able work with it?

default-soa-edit-signed=INCEPTION-INCREMENT

It mentions that inception-increment "requires your backend zone to use YYYYMMDDSS as SOA serial format. Uses localtime to find the day for inception time."

Is YYYYMMDDSS the default SOA serial format of cPanel? My current SOA serial is set to 2018010708, so I think it is indeed following the required format.

I will try to test it; I modified pdns.conf and restarted the DNS server; time to wait for RRSIGs to expire.

 

[cPanelMichael]

Hello,

Yes, you are welcome to make configuration changes to the /etc/pdns/pdns.conf file. Restarting the service after making the changes should enable them, however keep in mind such changes are unsupported so it's not something we can generally troubleshoot if it doesn't work as expected.

Is YYYYMMDDSS the default SOA serial format of cPanel? My current SOA serial is set to 2018010708, so I think it is indeed following the required format.

Yes, that's the default SOA serial format utilized by cPanel. Additionally, you can always change the zone template if necessary:

Edit Zone Templates - Version 70 Documentation - cPanel Documentation

Thank you.

 

[SunnyInMTL]

Is there any way to modify the format of %serial%?

For example, is it possible to keep the SS part (revision number) below 98?

 

[cPanelMichael]

Hello,

It's not possible to modify the functionality of the template variables in the DNS zone templates. You'd need to develop a custom script that updates the values and configure it to run via a hook upon each DNS zone modification/addition.

Thank you.