DNSSEEC is not working
AnsweredI by the love of god, cannot get DNSSEC to work properly.
Im not using cluster, and im using powerDNS.
I go to the domain. Generate the keys. I go to the registrar, i paste the keys and info. And boom its not working, DNSSEC for the domain never activates.
I have tried with all the form for keys cpanel can generate, the most recommended, the most secure. All of them the exact same result.
If i use dig and query my cpanel server, i get serverfail everytime for example
➜ ~ dig @myCpanellP my-test-domain.com DNSKEY
; <<>> DiG 9.10.6 <<>> @myCpanelIP my-test-domain.com DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63226
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;my-test-domain.com. IN DNSKEY
;; Query time: 126 msec
;; SERVER: mycpanelip9#53(mycpanelip)
;; WHEN: Mon Oct 07 22:49:05 CEST 2024
;; MSG SIZE rcvd: 38
Does anybody have a clue to what could be wrong? I have spent on the good side of 2 days on this now and im out of ideas
-
Maybe dns propagation issue? Have you cleared out your dns cache on your local browser / computer / firewall / router etc?
Have you tried testing the site with verisign labs or mxtoolbox?:
https://dnssec-analyzer.verisignlabs.com/
https://mxtoolbox.com/DNSKey.aspx
0 -
Unfortunately not a propagation issue. I have tested with all the tools, they all fail with the dnssec. The domain dosent even resolve after i added the keys to the registrar
0 -
Sadly it's been a long time since I set this up. I don't remember exactly what I did, but do remember it being a pain in the butt. I think it might have had something to do with using the KSK key instead of the ZSK key.
0 -
Sorry, meant to say Creates a CSK (Combined Signing Key), instead of ksk/zsk seperately and using RSA/SHA-256.... That combination always seems to work for me.
0 -
Then on the registrar make sure to set algorithm 13 and digest type 2.
0 -
Its making me crazy, i spent more than 2 days on this now. I have tested god know how many things.
If i run this command from the server[root@web1 ~]# dig +dnssec @localhost DOMAIN.COM; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.2 <<>> +dnssec @localhost DOMAIN.COM; (2 servers found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39137;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 1232;; QUESTION SECTION:;DOMAIN.COM. IN A;; ANSWER SECTION:DOMAIN.COM. 3600 IN A SERVER IPDOMAIN.COM. 3600 IN RRSIG A 13 2 3600 20241017000000 20240926000000 55287 DOMAIN.COM. vqwMreiSyBbInIfVYshhKASwAZWAErm7LueQME8rsUd5ElZuRR0UbMxr hkE3lDBhdc+6O5AVZFJIMutkyBsLHA==;; Query time: 0 msec;; SERVER: ::1#53(::1);; WHEN: tir okt 08 00:28:42 CEST 2024;; MSG SIZE rcvd: 159[rootweb120
All is looking all fine. But somehow the published records at the registrar never works. I think i have been through all of the keys thats possible to generate. Heck i even checked the firewall to see if i somehow managed to block anything. But nope, it makes no sense at all
Im using vanity servers at cloudns. All domains that are on the cpanel server, is created there as "secondary" with the cpanel IP as main.
I tried with my test domain just to make it primary in cloudns, and using cloudns dnssec. It started working after few minutes and the key was published correctly.
So there is something really weird going on0 -
Sorry you replied just before i replied :)
I already tried with the csk one, and, and algo set to 13 and digest type for 2, and with the appropiate keytag and digest. But its the same unfortunately. I went through all of the possible methods to create a key and none of them works :(0 -
yeah, that is strange. Sorry I can't be of any more help. Never used ClouDNS.
0 -
yooo i finally got it working..
I had to run/usr/local/cpanel/bin/whmapi1 unset_nsec3_for_domains domain=domain.tld
I found it hiding at the bottom of this guide here
https://support.cpanel.net/hc/en-us/articles/4404190000663-Enabling-AXFR-for-cPanel-controlled-Domains0 -
nice, good find! I never would have imagined that could have caused this problem!
0
Please sign in to leave a comment.
Comments
10 comments