Where In God's Name Is The DNSSEC?

[MajorLancelot]

This document (https://docs.cpanel.net/cpanel/domains/zone-editor/86/) says that "in the Zone Editor interface, click DNSSEC in a domain’s row to display the DNSSEC interface."

We are running the latest cPanel 86 on all servers, have Manage DNSSEC enabled but there is nothing remotely resembling DNSSEC on cPanel.

Not even using the search field.

Is there anything else that need to be done to make this visible?

 

[furquan]

May be this thread will help :-

Enabling DNSSec

Hi @cPanelMichael , Can you explain me why I cannot see the DNSSEC feature on my Zone Editor? I run latest version of cpanel here. image.prntscr.com/image/SQHylRjAQ0_MxCT3c7ak7Q.png Best, Cosmin

forums.cpanel.net

 

[MajorLancelot]

May be this thread will help :-

That's awfully sad.
Been looking foward to this feature and wonder why the fact that clustering is not supported was never mentioned on the documentation provided.
Thanks, Furquan for pointing me to the right direction.

 

[cPanelLauren]

@furquan please ensure that you're actually posting relevant information. I realize it's easy to be led astray by older forums threads and I'll update it to reflect the current state of things. That thread is pretty old and a lot has changed there.

WE DO support clustering with DNSSEC as per our *OFFICIAL* documentation which can be found here:

DNSSEC | cPanel & WHM Documentation

DNSSEC adds a layer of security to your domains' DNS records.

docs.cpanel.net

You can also read the announcement on our blog:

DNSSEC Clustering Now Available with PowerDNS | cPanel Blog

In the event you missed it, we published a blog post back in December of 2018, announcing the deprecation of MyDNS and NSD. Now that PowerDNS has been the choice DNS Management tool of cPanel & WHM for several versions, the request for DNSSEC (Domain Name System Security Extensions) clustering...

blog.cpanel.com

@MajorLancelot are you running bind or PowerDNS? Right now DNSSEC is only available when using Power DNS.

 

[MajorLancelot]

@MajorLancelot are you running bind or PowerDNS? Right now DNSSEC is only available when using Power DNS.

Thanks for pitching in, Lauren.

We are running PowerDNS on the 2 DNS clusters but the same result.

The result being that there is no such feature in cPanel on all the servers on both clusters.

Thanks.

 

[PenguinInternet]

This is because you also need to install PowerDNS on the web server as well as each of the DNSOnly servers as it needs the powerdns tools on the web server in order to write the dnssec keys to the DNS only servers. Without this being installed locally, the option will not appear in the zone editor.

Personally I really dislike this limitation - I don't want a DNS server running unnecessarily on each of my web servers and would like to see a solution from cPanel where the tools are installed without the DNS server having to be active and so continue to support a true clustering setup with full functionality.

 

[cPanelLauren]

This is because you also need to install PowerDNS on the web server as well as each of the DNSOnly servers as it needs the powerdns tools on the web server in order to write the dnssec keys to the DNS only servers. Without this being installed locally, the option will not appear in the zone editor.

Correct, the web server also needs it and for this specific reason. Thanks!

Personally I really dislike this limitation - I don't want a DNS server running unnecessarily on each of my web servers and would like to see a solution from cPanel where the tools are installed without the DNS server having to be active and so continue to support a true clustering setup with full functionality.

Actually, we don't really like it either but it was a necessity for DNSSEC support. In a perfect iteration of this you would not need to be running a nameserver on the webserver at all. Until that gets worked out though (if it does get changed) you've got to have PowerDNS on every single server in the cluster,

 

[PenguinInternet]

Actually, we don't really like it either but it was a necessity for DNSSEC support. In a perfect iteration of this you would not need to be running a nameserver on the webserver at all. Until that gets worked out though (if it does get changed) you've got to have PowerDNS on every single server in the cluster,

So is this something that is being actively planned or does it need a feature request? I'd personally hope that this is in planning already to provide a better implementation.

 

[cPanelLauren]

So is this something that is being actively planned or does it need a feature request? I'd personally hope that this is in planning already to provide a better implementation.

Totally something being looked at, there is an improvement case open already as well: CPANEL-30161. I've also linked this thread to the internal case.

 

[MajorLancelot]

Thanks PenguinINTERNET for pointing out this work-around.

And thanks Lauren for confirming it.

I've been able to confirm that this solution worked as the DNSSEC otion appeared once it was enabled.

We certainly do not want to enable name-server on these web servers and would to keep these disabled once the issue has been resolved.

The thing Lauren is that when cPanel sends an update regarding an open case that has been resolved, there is no description explaining what is for nor what version of cPanel it is for.

This put one in a situation where you start trying to remember which support case you opened or forum discussion that triggered the notifcation.

Wouldn't there a better way of getting this information to all stake-holders when a case such CPANEL-30161 has been resolved?

Shouldn't there be one place (beyond the changelog) where one can plug in a case number and see what the case is all about?

Thanks all.