DNSSEC PowerDNS in cPanel with non-PowerDNS (and non-cPanel) slaves

SunnyInMTL

• January 20, 2018 18:01

Hello, I have my master nameserver on a cPanel server with PowerDNS. I then transfer the zones via AXFR to the slave servers of a third-party service and everything is working well, except today I noticed that the RRSIG signatures expired and the domain name is not resolving anymore. From the documentation: DNSSEC with PowerDNS: "If your DNS setup uses non-PowerDNS slaves, the slaves need to know when the signatures have been updated. This can be accomplished by setting the What would be the ideal way to achieve this with cPanel? Should I perhaps setup a CRON script to update the SOA serials every X days?

• 

  cPanelMichael

  • January 22, 2018 15:47

  Hello, DNSSEC is incompatible with DNS Clustering with PowerDNS as provided through cPanel. It's unsupported, however there's a user-submitted workaround on the following feature request that appears to match what you are looking for: DNSSEC support in Clustering Thank you.

  0
• 

  SunnyInMTL

  • January 22, 2018 20:51

  Hi Michael, The issue I mentioned is not related to the nsec3's narrow version. I already had set the narrow setting to 0 and got AXFR working with the slave servers. This is another issue, related to the expiration of RRSIGs. By manually updating the SOA serials, I got it fixed; however, having an automatic solution would be more ideal. From the PowerDNS documentation: As RRSIGs can expire, slave servers need to know when to re-transfer the zone. In most implementations (BIND, NSD), this is done by re-signing the full zone outside of the nameserver, increasing the SOA serial and serving the new zone on the master. I suppose then the solution of having CRON update the SOA serials every X days is the most viable one. Now I need to figure out the X and find out when do RRSIGs expire.

  0
• 

  cPanelMichael

  • January 23, 2018 15:35

  Hello, Thank you for the additional information. Regarding the increase to the serial in the zone file, there's a post here you may find helpful if you need help with your custom script: Thank you.

  0
• 

  SunnyInMTL

  • January 23, 2018 17:47

  Hi Michael, Thank you for the link to the bulk dns zone update script. I was thinking, instead of using a perl script and directly replacing the SOA serials in the *.db files, could I perhaps update the serials with API2's ZoneEdit (cPanel API 2 Functions - ZoneEdit::edit_zone_record - Software Development Kit - cPanel Documentation) ? For example, I could edit a zone record (can be a fake one or an actual one) and simulate an update without actually modifying anything. This should also update the SOA serial. Would you recommend doing this? To fetch all domain names, I could use WHM API1's listaccts (WHM API 1 Functions - listaccts - Software Development Kit - cPanel Documentation), then loop over each account's domains with UAPI's DomainInfo::list_domains (UAPI Functions - DomainInfo::list_domains - Software Development Kit - cPanel Documentation). This method might not be good for performance as it will need to do many queries, but is it more reliable?

  0
• 

  cPanelMichael

  • January 23, 2018 17:49

  Hello, Yes, I do recommend using our API for this purpose if possible. It might take a little more development work, but the use of our API is generally preferred over custom bash commands. Thank you.

  0
• 

  SunnyInMTL

  • January 24, 2018 21:46

  After more research, I don't think I will need to automatically update the SOA serials. PowerDNS has a native feature called SOA-EDIT (List of Settings) in etc/pdns/pdns.conf, will cPanel be able work with it? default-soa-edit-signed=INCEPTION-INCREMENT
  It mentions that inception-increment "requires your backend zone to use YYYYMMDDSS as SOA serial format. Uses localtime to find the day for inception time." Is YYYYMMDDSS the default SOA serial format of cPanel? My current SOA serial is set to 2018010708, so I think it is indeed following the required format. I will try to test it; I modified pdns.conf and restarted the DNS server; time to wait for RRSIGs to expire.

  0
• 

  cPanelMichael

  • January 25, 2018 18:13

  Hello, Yes, you are welcome to make configuration changes to the /etc/pdns/pdns.conf file. Restarting the service after making the changes should enable them, however keep in mind such changes are unsupported so it's not something we can generally troubleshoot if it doesn't work as expected.

  Is YYYYMMDDSS the default SOA serial format of cPanel? My current SOA serial is set to 2018010708, so I think it is indeed following the required format.

  
  Yes, that's the default SOA serial format utilized by cPanel. Additionally, you can always change the zone template if necessary: Edit Zone Templates - Version 70 Documentation - cPanel Documentation Thank you.

  0
• 

  SunnyInMTL

  • January 26, 2018 02:59

  Is there any way to modify the format of %serial%? For example, is it possible to keep the SS part (revision number) below 98?

  0
• 

  cPanelMichael

  • January 26, 2018 17:54

  Hello, It's not possible to modify the functionality of the template variables in the DNS zone templates. You'd need to develop a custom script that updates the values and configure it to run via a hook upon each DNS zone modification/addition. Thank you.

  0

Please sign in to leave a comment.