Skip to main content

BWG-3537 - No DNSSEC on cPanel subdomains

Comments

22 comments

  • cPRex Jurassic Moderator
    Hey there! Did the subdomains have a unique zone file from the parent domain? As in, did sub.domain.com had a separate zone file than domain.com? If so, we have an article on how to make sure those get setup with DNSSEC here: Let me know if that isn't exactly what you were experiencing and I can try and get you more applicable information.
    0
  • DennisMidjord
    Did the subdomains have a unique zone file from the parent domain?

    Yeah, they do. Is there any way to not have this done? It seems that cPanel does this automatically when we setup the server. Edit: Oh, I actually see that it's apparently only one server that has it's own zone (server1.example.com). We have a lot of other servers where this is not the case. How come?
    0
  • DennisMidjord
    Alright, I might need a bit more of your help, @cPRex. Our name servers are on the same domain as our "main" domain (example.com). These are called ns1.example.com, ns2.example.com and ns3.example.com. How would we define DS keys for those? Wouldn't it cause loops if we defined NS records for ns1, ns2 and ns3 in the example.com zone and pointed them to... well, ns1, ns2 and ns3? Couldn't we just remove the zones for ns1, ns2 and ns3? A and AAAA records are defined for these in the example.com zone. I tried to define DS records in the example.com zone, but I couldn't select anything but 1-Sha-1 as digest type, no matter what algorithm I chose.
    0
  • cPRex Jurassic Moderator
    Yes, I always recommend removing zone files that are just for the nameservers and managing everything through the main "domain.com" zone. Can you get me more details on the digest type issue so I can test that?
    0
  • DennisMidjord
    Yes, I always recommend removing zone files that are just for the nameservers and managing everything through the main "domain.com" zone.

    Alright, I'll work on that tomorrow. Thanks! What's the reason that some servers has their own zone file created (eg. our server1.example.com and ns1, ns2 and ns3)?
    Can you get me more details on the digest type issue so I can test that?

    Yes, sure. See this gif:
    0
  • cPRex Jurassic Moderator
    For the nameserver question, let's use ns1.domain.com as an example. If you have this nameserver setup in WHM, but you have not created domain.com on the system yet, clicking the "Conifgure address records" button in the WHM >> Basic WebHost Manager Setup page will create the ns1.domain.com zone files. This allows them to resolve in DNS even without the main domain.com zone existing. Videos and screenshots? All the time. But this is my first gif in many years of support :D The DS record gets based off the DNSSEC key that was originally created, so it's possible that is the only digest available for your particular key.
    0
  • DennisMidjord
    The DS record gets based off the DNSSEC key that was originally created, so it's possible that is the only digest available for your particular key.

    I'm just generating everything through cPanel. I went to the server1.example.com DNSSEC management interface, created the keys. Then I went to example.com zone, set NS records for server1 to point to ns1.example.com, ns2.example.com and ns3.example.com. After this, I tried creating the DS keys - but I couldn't choose the right algorithm. I'm still having that issue. I'm also not able to see any of the existing DS records for our root domain (example.com) through WHM > Zone Manager. When looking in the DNS zone file on our name server, I see that the DS records are configured like this: example.com. 86400 IN TYPE257 \# 17 example.com. 86400 IN TYPE257 \# 19
    If I create a new DS record, it's appearing as DS instead of TYPE257.
    0
  • cPRex Jurassic Moderator
    Alrighty - I see where my confusion was. You were looking in WHM and I was looking in cPanel. I also only see one digest option on my end so I'm looking into this now and I'll update you soon.
    0
  • cPRex Jurassic Moderator
    I also am only seeing one option on the dropdown when I do my testing. I'm going to speak with our developers on this to see if they can get me more details on how that is supposed to work, or if this is an issue with the interface. It might be a bit before I hear back, but I'll mark this ticket as "In Progress" so I don't miss it. I'll update it as soon as I get a reply, but it might be a few days, especially with the weekend coming up. It's also worth noting that you can still see the automatically-created DS records within the DNSKEYS area of the Zone Editor in cPanel, so if you need to copy those over to your registrar you can.
    0
  • SimpleTechGuy
    Hi, resurrecting this old post. I was going through the server and rotating keys and realized that I ran into this problem a long time ago and just decided not to fix it, but now I really want to get dnssec working properly. Pretty much exactly the same issue here. Just wondering if this was solved or if there is a workaround. Basically my whm was set to server.example.com
    and whmcs runs on example.com
    . Need to setup dnssec for server.example.com but trying to add ds record to example.com for server.example.com I need to use algorithm 13 and sha-256 digest type but it's not available. Thanks!
    0
  • cPRex Jurassic Moderator
    @SimpleTechGuy - in one of my earlier replies, I linked this article:
    0
  • SimpleTechGuy
    Hi @cPRex thanks for following up. The problem is that when you follow those steps you run into this problem where not all of the options are available in the zone manager when adding the DS record. I need to use algorithm 13 and Digest Type sha-256 (algorithm 2). Here is a gif posted by @DennisMidjord:
    0
  • cPRex Jurassic Moderator
    Thanks for that clarification. I've reached out to the DNS team and I'll let you know what they say when I hear back. This one will likely be a few days.
    0
  • SimpleTechGuy
    Thanks for that clarification. I've reached out to the DNS team and I'll let you know what they say when I hear back. This one will likely be a few days.

    Thanks! I'll follow up in a few days. Really appreciate the help here.
    0
  • cPRex Jurassic Moderator
    Sure thing!
    0
  • cPRex Jurassic Moderator
    Update - I'm hoping to hear back today about this one.
    0
  • cPRex Jurassic Moderator
    Alright, our team has opened an internal case with the developers to see what all we need to do to make this happen on our end. I'll continue to post updates as I get them.
    0
  • SimpleTechGuy
    Excellent, thanks so much for keeping active on this. Hoping it's an easy fix!
    0
  • SimpleTechGuy
    Hi, just following up. Do you think this is something that might be figured out soon, or should I look start trying to find another solution?
    0
  • cPRex Jurassic Moderator
    I do see they are talking about various options in the case, but no official fix has been decided yet and it hasn't been assigned to a specific cPanel version just yet. But there's been some progress for sure. I'll be sure to post once I know more!
    0
  • SimpleTechGuy
    Hi, Just following up here, wondering if there is anything else I can do to help out or if there was any progress made! Thanks
    0
  • cPRex Jurassic Moderator
    I have some progress, yes! As a result of the internal discussions our team created case BWG-3537 and we are hoping to have this included in version 110, when that is released.
    0

Please sign in to leave a comment.