DNSSEC with BIND
I am looking to see if there was ever a change to the decision to ignore Bind regarding DNSSEC. It would be an extremely welcome change.
-
Hello @SeqLogic Right now DNSSEC is only available with PowerDNS, the feature request for DNSSEC with BIND is still open though and can be found here: DNSSEC with BIND 0 -
I too would be interested to know why DNSSEC is implemented for PowerDNS but not for BIND. This is a real bummer. 0 -
Hi @Metro2 We did prototype DNSSEC/w BIND at one point but due to concerns with performance, as well as mitigation of potential issues that could arise when utilizing DNSSEC w/BIND we decided at the time the better choice was to use pdns. After testing with pdns we found that pdns is well supported with better performance and maintenance and as such, we felt it was a better choice. Currently, we do still use a BIND backend for pdns - what is the reason you feel like straight BIND w/DNSSEC is a better choice for you? 0 -
Hi @Metro2 Currently, we do still use a BIND backend for pdns - what is the reason you feel like straight BIND w/DNSSEC is a better choice for you?
I can't say it would be a "better" choice, but I can give some reasons why I'm concerned and hesitant to switch to PDNS: 1. The innate "fear" of changing from something that has worked for years to something new. This fear may not seem justified, but almost every time a delicate part of the server / system has changed in the past, it has meant issues / support tickets / problems for customers / time / money involved to resolve. 2. I run servers in WHM DNS Cluster, and two of them are basically "master" servers both with the Role set to "Synchronize Changes" and use my own DNS / nameservers, so it makes me wonder if toggling from BIND to PowerDNS in WHM on one of the main servers in the Cluster will have an adverse effect on the other main server in the Cluster. 3. The part where PDNS says "Does not provide a recursive (caching) nameserver" makes me wonder how it will affect my RDNS (Reverse DNS) lookup entries for hostnames and IPs that are set with my data center. 4. I have read somewhere that there's no UI for handling DNS with PDNS like there is with BIND. (That information is probably outdated, possibly?). If I would still be able to handle DNS tasks from within the same UI in WHM the way that I do now in WHM > Home > DNS Functions with all of the tools that are currently there after switching from BIND to PDNS, then that would take this concern off the table. 5. I worry too much? ;-) In the end it looks like I'll be forced to make the switch, because I need DNSSEC (doesn't everyone) and I cannot currently have it because I use WHM DNS Clustering, and it looks pretty obvious that cPanel plans to roll-out DNSSEC support for Clustered servers only with PDNS and not with BIND. Maybe you could put some of my concerns to rest? :) Thanks as always for being part of the great responsive team here on the forums!0 -
Hi @Metro2 . The innate "fear" of changing from something that has worked for years to something new. This fear may not seem justified, but almost every time a delicate part of the server / system has changed in the past, it has meant issues / support tickets / problems for customers / time / money involved to resolve.
I understand this, changing things sometimes feels like an "if it ain't broke don't fix it" sort of situation, and when you do you're sometimes left with some cleanup but change can be good especially in the instance where the payout is better performance, security and support.. I run servers in WHM DNS Cluster, and two of them are basically "master" servers both with the Role set to "Synchronize Changes" and use my own DNS / nameservers, so it makes me wonder if toggling from BIND to PowerDNS in WHM on one of the main servers in the Cluster will have an adverse effect on the other main server in the Cluster.
As far as I am aware (and having set up a few pdns clusters) the method in which the roles work shouldn't be changed at all, including an instance in which some servers are using different nameservers, remember this is still going to be using a BIND backend so the zone files themselves are all going to be there and in the same place with the same purpose.. The part where PDNS says "Does not provide a recursive (caching) nameserver" makes me wonder how it will affect my RDNS (Reverse DNS) lookup entries for hostnames and IPs that are set with my data center.
This doesn't have anything to do with rDNS actually and while BIND supports recursion we disable it by default which is the purpose of the DNS resolvers (resolv.conf) - in this aspect it's functioning identically to the way that BIND is currently configured when using straight BIND.. I have read somewhere that there's no UI for handling DNS with PDNS like there is with BIND. (That information is probably outdated, possibly?). If I would still be able to handle DNS tasks from within the same UI in WHM the way that I do now in WHM > Home > DNS Functions with all of the tools that are currently there after switching from BIND to PDNS, then that would take this concern off the table.
I'm not sure I understand what you mean in this aspect, we don't support a separate UI for bind. What I think maybe you're referencing is the Edit DNS Zone UI in WHM or the Zone Editor UI in cPanel and these are absolutely not specific to the nameserver you're running, they're present for any selection you utilize.. I worry too much? ;-)
It's completely understandable, especially with things that are so important!Maybe you could put some of my concerns to rest? :)
I hope I've done this but if you still have some that I can assist with let me know and I'll get you the information I can!Thanks as always for being part of the great responsive team here on the forums!
I'm glad to be and glad to be able to help!!0 -
Hi @Metro2 I hope I've done this but if you still have some that I can assist with let me know and I'll get you the information I can!
You have definitely put most concerns to rest, thank you! I think I'll take the plunge and switch from BIND to PDNS in WHM over the weekend (unless it requires a server reboot). Thank you!0 -
Hi @Metro2 I'm glad to hear it! If you have any troubles, questions or concerns please let us know! Also keep in mind that right now we still don't have the capability to support DNSSEC with Clustering though we are working on it in hopes for it to be ready for v84 of cPanel/WHM 0 -
Let's get all our customers sites hijacked because we're too lazy to add industry standard security features. But we'll raise our prices even though we're only completing projects our big customers like GoDaddy want. cPanel has turned into a joke. I can't count on my fingers and toes that Benny has said on the feature request board "That's too hard".... If EVERY FEATURE we ask for is "too hard" then why do you deserve another dime? Instead you wait til the last second (CAA Records) to add them, rush to get it done, and wind up adding a buggy implementation with no documentation at release. In the process of moving away to another panel. - Removed - 0 -
After 5 years - Did you add DNSEC support for BIND?
0 -
studiofaca - no, we still require PowerDNS to use DNSSEC on cPanel machines.
0
Please sign in to leave a comment.
Comments
10 comments