Where In God's Name Is The DNSSEC?

Operating System & Version
Cloudlinux, RHEL and CentOS
cPanel & WHM Version
86

MajorLancelot

Well-Known Member
Dec 17, 2014
58
5
133
Shinjuku-ku, Tokyo, Japan
cPanel Access Level
Root Administrator
This document (https://docs.cpanel.net/cpanel/domains/zone-editor/86/) says that "in the Zone Editor interface, click DNSSEC in a domain’s row to display the DNSSEC interface."

We are running the latest cPanel 86 on all servers, have Manage DNSSEC enabled but there is nothing remotely resembling DNSSEC on cPanel.

Not even using the search field.

Is there anything else that need to be done to make this visible?
 

furquan

Well-Known Member
Jul 27, 2002
473
4
168
May be this thread will help :-

 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
@furquan please ensure that you're actually posting relevant information. I realize it's easy to be led astray by older forums threads and I'll update it to reflect the current state of things. That thread is pretty old and a lot has changed there.

WE DO support clustering with DNSSEC as per our *OFFICIAL* documentation which can be found here:

You can also read the announcement on our blog:



@MajorLancelot are you running bind or PowerDNS? Right now DNSSEC is only available when using Power DNS.
 

PenguinInternet

Well-Known Member
PartnerNOC
Jun 20, 2007
190
23
68
Cardiff, UK
cPanel Access Level
DataCenter Provider
Twitter
This is because you also need to install PowerDNS on the web server as well as each of the DNSOnly servers as it needs the powerdns tools on the web server in order to write the dnssec keys to the DNS only servers. Without this being installed locally, the option will not appear in the zone editor.

Personally I really dislike this limitation - I don't want a DNS server running unnecessarily on each of my web servers and would like to see a solution from cPanel where the tools are installed without the DNS server having to be active and so continue to support a true clustering setup with full functionality.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
This is because you also need to install PowerDNS on the web server as well as each of the DNSOnly servers as it needs the powerdns tools on the web server in order to write the dnssec keys to the DNS only servers. Without this being installed locally, the option will not appear in the zone editor.
Correct, the web server also needs it and for this specific reason. Thanks!

Personally I really dislike this limitation - I don't want a DNS server running unnecessarily on each of my web servers and would like to see a solution from cPanel where the tools are installed without the DNS server having to be active and so continue to support a true clustering setup with full functionality.
Actually, we don't really like it either but it was a necessity for DNSSEC support. In a perfect iteration of this you would not need to be running a nameserver on the webserver at all. Until that gets worked out though (if it does get changed) you've got to have PowerDNS on every single server in the cluster,
 
  • Like
Reactions: Jay3570

PenguinInternet

Well-Known Member
PartnerNOC
Jun 20, 2007
190
23
68
Cardiff, UK
cPanel Access Level
DataCenter Provider
Twitter
Actually, we don't really like it either but it was a necessity for DNSSEC support. In a perfect iteration of this you would not need to be running a nameserver on the webserver at all. Until that gets worked out though (if it does get changed) you've got to have PowerDNS on every single server in the cluster,
So is this something that is being actively planned or does it need a feature request? I'd personally hope that this is in planning already to provide a better implementation.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
So is this something that is being actively planned or does it need a feature request? I'd personally hope that this is in planning already to provide a better implementation.
Totally something being looked at, there is an improvement case open already as well: CPANEL-30161. I've also linked this thread to the internal case.
 

MajorLancelot

Well-Known Member
Dec 17, 2014
58
5
133
Shinjuku-ku, Tokyo, Japan
cPanel Access Level
Root Administrator
Thanks PenguinINTERNET for pointing out this work-around.

And thanks Lauren for confirming it.

I've been able to confirm that this solution worked as the DNSSEC otion appeared once it was enabled.

We certainly do not want to enable name-server on these web servers and would to keep these disabled once the issue has been resolved.

The thing Lauren is that when cPanel sends an update regarding an open case that has been resolved, there is no description explaining what is for nor what version of cPanel it is for.

This put one in a situation where you start trying to remember which support case you opened or forum discussion that triggered the notifcation.

Wouldn't there a better way of getting this information to all stake-holders when a case such CPANEL-30161 has been resolved?

Shouldn't there be one place (beyond the changelog) where one can plug in a case number and see what the case is all about?

Thanks all.