Merge branch 'develop' into 'develop'

# Conflicts:
#   interface/web/login/index.php

.gitlab-ci.yml

@@ -90,7 +90,7 @@ build:package:
         - if [[ "$VER" == "" ]] ; then VER="3.2dev"$(date +%s) ; fi
         - if [[ "$VER" != "" ]] ; then echo "Replacing 3.2dev by $VER" ; sed -i -r 's/3\.2dev/'${VER}'/g' install/tpl/config.inc.php.master install/sql/ispconfig3.sql ; fi
         - RET=0
-        - tar -cpzf ISPConfig-${VER}.tar.gz --exclude "ISPConfig-${VER}.tar.gz" --exclude ".git*" --exclude ".phplint.yml" --transform 's,^\./,ispconfig3_install/,' . || RET=$?
+        - tar -cpzf ISPConfig-${VER}.tar.gz --exclude "ISPConfig-${VER}.tar.gz" --exclude ".git*" --exclude ".phplint.yml" --transform 's,^\./,ispconfig3_install/,' --mode='0775' ./* || RET=$?
         - if [[ $RET > 1 ]] ; then exit $RET ; fi
         - echo "Listing tar contents for verification"
         - tar -tvf ISPConfig-${VER}.tar.gz
@@ -101,4 +101,4 @@ build:package:
         - echo "Download url is https://download.ispconfig.org/ISPConfig-${VER}.tar.gz"
         
     needs: ["syntax:lint"]
-    allow_failure: false
\ No newline at end of file
+    allow_failure: false

install/dist/tpl/gentoo/apache_ispconfig.vhost.master

@@ -6,7 +6,7 @@
 
 {vhost_port_listen} Listen {vhost_port}
 <tmpl_if name='apache_version' op='<' value='2.4' format='version'>
-  NameVirtualHost *:{vhost_port}
+  # NameVirtualHost *:{vhost_port}
 </tmpl_if>
 
 <VirtualHost _default_:{vhost_port}>

install/lib/installer_base.lib.php

@@ -52,7 +52,7 @@ class installer_base {
 	}
 
 	public function update_acme() {
-		$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
+		$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh 2> /dev/null'));
 		$acme = reset($acme);
 		$val = 0;
 
@@ -892,6 +892,20 @@ class installer_base {
 	public function configure_mailman($status = 'insert') {
 		global $conf;
 
+		// Fix for #6314: bug on Debian 11 systems where Mailman3 is not available and broken routes exist in the Mailman config
+		$data_dir = '/var/lib/mailman';
+		if (($conf['mailman']['installed'] != true) && is_dir($data_dir)) {
+			rename($data_dir, $data_dir . '-bk');
+			//* Create the mailman files
+			if(!is_dir('/var/lib/mailman/data')) exec('mkdir -p /var/lib/mailman/data');
+			if(!is_file('/var/lib/mailman/data/aliases')) touch('/var/lib/mailman/data/aliases');
+			exec('postmap /var/lib/mailman/data/aliases');
+			if(!is_file('/var/lib/mailman/data/virtual-mailman')) touch('/var/lib/mailman/data/virtual-mailman');
+			exec('postmap /var/lib/mailman/data/virtual-mailman');
+			if(!is_file('/var/lib/mailman/data/transport-mailman')) touch('/var/lib/mailman/data/transport-mailman');
+			exec('postmap /var/lib/mailman/data/transport-mailman');
+		}
+
 		$config_dir = $conf['mailman']['config_dir'].'/';
 		$full_file_name = $config_dir.'mm_cfg.py';
 		//* Backup exiting file
@@ -1653,7 +1667,7 @@ class installer_base {
 		//* These postconf commands will be executed on installation and update
 		$server_ini_rec = $this->db->queryOneRecord("SELECT mail_server, config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
 		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
-		$mail_server = ($server_ini_rec['mail_server']) ? true : false;
+		$mail_server = $conf['services']['mail'];
 		unset($server_ini_rec);
 
 		// amavisd user config file
@@ -1777,7 +1791,7 @@ class installer_base {
 		//* These postconf commands will be executed on installation and update
 		$server_ini_rec = $this->db->queryOneRecord("SELECT mail_server, config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
 		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
-		$mail_server = ($server_ini_rec['mail_server']) ? true : false;
+		$mail_server = $conf['services']['mail'];
 		unset($server_ini_rec);
 
 		$config_dir = $conf['postfix']['config_dir'];
@@ -1981,8 +1995,13 @@ class installer_base {
 
 		exec('chmod a+r /etc/rspamd/local.d/* /etc/rspamd/local.d/maps.d/* /etc/rspamd/override.d/*');
 		# protect passwords in these files
-		exec('chgrp _rspamd /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf /etc/rspamd/local.d/worker-controller.inc');
-		exec('chmod 640 /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf /etc/rspamd/local.d/worker-controller.inc');
+		exec('chgrp _rspamd /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf');
+		exec('chmod 640 /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf');
+
+		if(file_exists('/etc/rspamd/local.d/worker-controller.inc')) {
+			exec('chgrp _rspamd /etc/rspamd/local.d/worker-controller.inc');
+			exec('chmod 640 /etc/rspamd/local.d/worker-controller.inc');
+		}
 
 		# unneccesary, since this was done above?
 		$command = 'usermod -a -G amavis _rspamd';

install/tpl/apache_apps.vhost.master

-######################################################
-# This virtual host contains the configuration
-# for the ISPConfig apps vhost
-######################################################
-
-{tmpl_var name='vhost_port_listen'} Listen {tmpl_var name='apps_vhost_port'}
-# NameVirtualHost *:{tmpl_var name='apps_vhost_port'}
-
-<VirtualHost {tmpl_var name='apps_vhost_ip'}:{tmpl_var name='apps_vhost_port'}>
-  ServerAdmin webmaster@localhost
-  {tmpl_var name='apps_vhost_servername'}
-  
-  <Directory {tmpl_var name='apps_vhost_dir'}>
-    <FilesMatch "\.ph(p3?|tml)$">
-      SetHandler None
-    </FilesMatch>
-  </Directory>
-
-  # SSL Configuration
-  <tmpl_var name="ssl_comment">SSLEngine On
-  <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
-  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
-  <tmpl_else>
-  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
-  </tmpl_if>
-  <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
-  <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
-  <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
-
-  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-  <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
-  <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
-  <tmpl_var name="ssl_comment">SSLCompression Off
-  </tmpl_if>
-  <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
-  <tmpl_var name="ssl_comment">SSLSessionTickets Off
-  </tmpl_if>
-
-  <IfModule mod_headers.c>
-    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
-    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
-    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
-    Header set X-Content-Type-Options: nosniff
-    Header set X-Frame-Options: SAMEORIGIN
-    Header set X-XSS-Protection: "1; mode=block"
-    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
-    <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
-    <IfVersion >= 2.4.7>
-        Header setifempty Strict-Transport-Security "max-age=15768000"
-    </IfVersion>
-    <IfVersion < 2.4.7>
-        Header set Strict-Transport-Security "max-age=15768000"
-    </IfVersion>
-    RequestHeader unset Proxy early
-  </IfModule>
-
-  <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
-  <tmpl_var name="ssl_comment">SSLUseStapling On
-  <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
-  <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
-  </tmpl_if>
-
-  <IfModule mod_headers.c>
-	RequestHeader unset Proxy early
-  </IfModule>
-
-  <IfModule mod_php5.c>
-    DocumentRoot {tmpl_var name='apps_vhost_dir'}
-    AddType application/x-httpd-php .php
-    <Directory {tmpl_var name='apps_vhost_dir'}>
-		Options FollowSymLinks
-		AllowOverride None
-		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
-		Require all granted
-		<tmpl_else>
-		Order allow,deny
-		Allow from all
-		</tmpl_if>
-    </Directory>
-  </IfModule>
-
-  <IfModule mod_php7.c>
-    DocumentRoot {tmpl_var name='apps_vhost_dir'}
-    AddType application/x-httpd-php .php
-    <Directory {tmpl_var name='apps_vhost_dir'}>
-		Options FollowSymLinks
-		AllowOverride None
-		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
-		Require all granted
-		<tmpl_else>
-		Order allow,deny
-		Allow from all
-		</tmpl_if>
-    </Directory>
-  </IfModule>
-
-  <IfModule mod_fcgid.c>
-    DocumentRoot {tmpl_var name='apps_vhost_dir'}
-    SuexecUserGroup ispapps ispapps
-    <Directory {tmpl_var name='apps_vhost_dir'}>
-		Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
-		AllowOverride AuthConfig Indexes Limit Options FileInfo
-	    <FilesMatch "\.php$">
-		  SetHandler fcgid-script
-	    </FilesMatch>
-		FCGIWrapper {tmpl_var name='apps_vhost_basedir'}/php-fcgi-scripts/apps/.php-fcgi-starter .php
-		<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
-		Require all granted
-		<tmpl_else>
-		Order allow,deny
-		Allow from all
-		</tmpl_if>
-    </Directory>
-    IPCCommTimeout  7200
-    MaxRequestLen 15728640 
-  </IfModule>
-
-{tmpl_if name="use_rspamd"}
-  <Location /rspamd>
-        Order allow,deny
-        Allow from all
-  </Location>
-  RewriteEngine On
-  RewriteRule ^/rspamd$ /rspamd/ [R,L]
-  RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
-{/tmpl_if}
-
-</VirtualHost>
-
-<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
-<IfModule mod_ssl.c>
-  <tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
-</IfModule>
-</tmpl_if>

install/tpl/apache_apps.vhost.master

+server/conf/apache_apps.vhost.master
\ No newline at end of file

install/tpl/server.ini.master

@@ -140,6 +140,7 @@ php_fpm_default_chroot=n
 bind_user=root
 bind_group=bind
 bind_zonefiles_dir=/etc/bind
+bind_keyfiles_dir=/etc/bind
 named_conf_path=/etc/bind/named.conf
 named_conf_local_path=/etc/bind/named.conf.local
 disable_bind_log=n

interface/web/admin/form/server_config.tform.php

@@ -1652,6 +1652,20 @@ $form["tabs"]['dns'] = array(
 			'width' => '40',
 			'maxlength' => '255'
 		),
+		'bind_keyfiles_dir' => array(
+			'datatype' => 'VARCHAR',
+			'formtype' => 'TEXT',
+			'default' => '',
+			'validators' => array(	0 => array('type' => 'NOTEMPTY',
+										'errmsg' => 'bind_keyfiles_dir_error_empty'),
+									1 => array ( 	'type' => 'REGEX',
+										'regex' => '/^\/[a-zA-Z0-9\.\-\_\/]{1,128}$/',
+										'errmsg'=> 'bind_keyfiles_dir_error_regex'),
+			),
+			'value' => '',
+			'width' => '40',
+			'maxlength' => '255'
+		),
 		'named_conf_path' => array(
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',

interface/web/admin/form/users.tform.php

@@ -251,7 +251,7 @@ $form['tabs']['users'] = array (
 			'formtype' => 'CHECKBOX',
 			'regex'  => '',
 			'errmsg' => '',
-			'default' => '',
+                       'default' => '1',
 			'value'  => array(0 => 0, 1 => 1),
 			'separator' => '',
 			'width'  => '30',

interface/web/admin/lib/lang/en_server_config.lng

@@ -91,10 +91,12 @@ $wb['apps_vhost_servername_txt'] = 'Apps-vhost Domain';
 $wb['bind_user_txt'] = 'BIND User';
 $wb['bind_group_txt'] = 'BIND Group';
 $wb['bind_zonefiles_dir_txt'] = 'BIND zonefiles directory';
+$wb['bind_keyfiles_dir_txt'] = 'BIND keyfiles directory';
 $wb['named_conf_path_txt'] = 'BIND named.conf path';
 $wb['bind_user_error_empty'] = 'BIND user is empty.';
 $wb['bind_group_error_empty'] = 'BIND group is empty.';
 $wb['bind_zonefiles_dir_error_empty'] = 'BIND zonefiles directory is empty.';
+$wb['bind_keyfiles_dir_error_empty'] = 'BIND keyfiles directory is empty.';
 $wb['named_conf_path_error_empty'] = 'BIND named.conf path is empty.';
 $wb['named_conf_local_path_error_empty'] = 'BIND named.conf.local path is empty.';
 $wb['mail_filter_syntax_txt'] = 'Mailfilter Syntax';
@@ -281,6 +283,7 @@ $wb['awstats_buildstaticpages_pl_error_regex'] = 'Invalid awstats_buildstaticpag
 $wb['invalid_bind_user_txt'] = 'Invalid BIND user.';
 $wb['invalid_bind_group_txt'] = 'Invalid BIND group.';
 $wb['bind_zonefiles_dir_error_regex'] = 'Invalid BIND zonefiles directory.';
+$wb['bind_keyfiles_dir_error_regex'] = 'Invalid BIND keyfiles directory.';
 $wb['named_conf_path_error_regex'] = 'Invalid named.conf path.';
 $wb['named_conf_local_path_error_regex'] = 'Invalid named.conf.local path.';
 $wb['fastcgi_starter_path_error_regex'] = 'Invalid fastcgi starter path.';

interface/web/admin/templates/server_config_dns_edit.htm

@@ -11,6 +11,9 @@
             <div class="form-group">
                 <label for="bind_zonefiles_dir" class="col-sm-3 control-label">{tmpl_var name='bind_zonefiles_dir_txt'}</label>
                 <div class="col-sm-9"><input type="text" name="bind_zonefiles_dir" id="bind_zonefiles_dir" value="{tmpl_var name='bind_zonefiles_dir'}" class="form-control" /></div></div>
+            <div class="form-group">
+                <label for="bind_keyfiles_dir" class="col-sm-3 control-label">{tmpl_var name='bind_keyfiles_dir_txt'}</label>
+                <div class="col-sm-9"><input type="text" name="bind_keyfiles_dir" id="bind_keyfiles_dir" value="{tmpl_var name='bind_keyfiles_dir'}" class="form-control" /></div></div>
             <div class="form-group">
                 <label for="named_conf_path" class="col-sm-3 control-label">{tmpl_var name='named_conf_path_txt'}</label>
                 <div class="col-sm-9"><input type="text" name="named_conf_path" id="named_conf_path" value="{tmpl_var name='named_conf_path'}" class="form-control" /></div></div>

interface/web/client/form/client.tform.php

@@ -318,7 +318,7 @@ $form["tabs"]['address'] = array (
 		'country' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'SELECT',
-			'default' => (isset($conf['language']) ? strtoupper($conf['language']) : ''),
+                       'default' => (isset($conf['default_country'])) ? strtoupper($conf['default_country']) : ((isset($conf['language'])) ? strtoupper($conf['language']) : ''),
 			'datasource' => array (  'type'          => 'SQL',
 				'querystring'   => 'SELECT iso,printable_name FROM country ORDER BY printable_name ASC',
 				'keyfield'      => 'iso',

interface/web/login/index.php

@@ -140,7 +140,7 @@ function process_login_request(app $app, &$error, $conf, $module)
 		} else {
 
 			//* Do 2FA authentication
-			if(isset($user['otp_type']) and $user['otp_type'] != 'none') {
+			if(isset($user['otp_type']) && $user['otp_type'] != 'none') {
 
 				//* Save session in pending state and destroy original session
 				$_SESSION['s_pending'] = $_SESSION['s'];

server/conf/apache_apps.vhost.master

@@ -9,10 +9,12 @@
 <VirtualHost {tmpl_var name='apps_vhost_ip'}:{tmpl_var name='apps_vhost_port'}>
   ServerAdmin webmaster@localhost
   {tmpl_var name='apps_vhost_servername'}
-
-  <FilesMatch "\.ph(p3?|tml)$">
-    SetHandler None
-  </FilesMatch>
+  
+  <Directory {tmpl_var name='apps_vhost_dir'}>
+    <FilesMatch "\.ph(p3?|tml)$">
+      SetHandler None
+    </FilesMatch>
+  </Directory>
 
   # SSL Configuration
   <tmpl_var name="ssl_comment">SSLEngine On
@@ -96,7 +98,7 @@
     DocumentRoot {tmpl_var name='apps_vhost_dir'}
     SuexecUserGroup ispapps ispapps
     <Directory {tmpl_var name='apps_vhost_dir'}>
-		Options +Indexes +FollowSymLinks +MultiViews +ExecCGI
+		Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
 		AllowOverride AuthConfig Indexes Limit Options FileInfo
 	    <FilesMatch "\.php$">
 		  SetHandler fcgid-script
@@ -109,6 +111,8 @@
 		Allow from all
 		</tmpl_if>
     </Directory>
+    IPCCommTimeout  7200
+    MaxRequestLen 15728640 
   </IfModule>
 
 {tmpl_if name="use_rspamd"}

server/conf/apps_php_fpm_pool.conf.master

@@ -17,4 +17,7 @@ pm.max_spare_servers = 5
 chdir = /
 
 ; php_admin_value[open_basedir] = /var/www/apps:/srv/www/apps:/usr/share
-php_admin_flag[magic_quotes_gpc] = off
\ No newline at end of file
+php_admin_flag[magic_quotes_gpc] = off
+
+php_admin_value[post_max_size] = 100M
+php_admin_value[upload_max_filesize] = 100M

server/conf/vhost.conf.master

@@ -408,6 +408,13 @@
 </tmpl_if>
 <tmpl_if name='use_tcp'>
 			#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ fcgi://127.0.0.1:<tmpl_var name='fpm_port'><tmpl_var name='web_document_root'>/$1
+			<Directory {tmpl_var name='web_document_root_www'}>
+				<FilesMatch "\.php[345]?$">
+					<If "-f '%{REQUEST_FILENAME}'">
+						SetHandler "proxy:fcgi://127.0.0.1:<tmpl_var name='fpm_port'>"
+					</If>
+				</FilesMatch>
+			</Directory>
 			<Directory {tmpl_var name='web_document_root'}>
 				<FilesMatch "\.php[345]?$">
 					<If "-f '%{REQUEST_FILENAME}'">
@@ -418,6 +425,13 @@
 </tmpl_if>
 <tmpl_if name='use_socket'>
 			#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix://<tmpl_var name='fpm_socket'>|fcgi://localhost/<tmpl_var name='web_document_root'>/$1
+			<Directory {tmpl_var name='web_document_root_www'}>
+				<FilesMatch "\.php[345]?$">
+					<If "-f '%{REQUEST_FILENAME}'">
+						SetHandler "proxy:unix:<tmpl_var name='fpm_socket'>|fcgi://localhost"
+					</If>
+				</FilesMatch>
+			</Directory>
 			<Directory {tmpl_var name='web_document_root'}>
 				<FilesMatch "\.php[345]?$">
 					<If "-f '%{REQUEST_FILENAME}'">

server/lib/classes/letsencrypt.inc.php

@@ -44,7 +44,7 @@ class letsencrypt {
 	}
 
 	public function get_acme_script() {
-		$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
+		$acme = explode("\n", shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh 2> /dev/null'));
 		$acme = reset($acme);
 		if(is_executable($acme)) {
 			return $acme;

server/plugins-available/bind_plugin.inc.php

@@ -98,11 +98,11 @@ class bind_plugin {
 
 		//* Verify that we do not already have keys (overwriting-protection)
 		if($data['old']['dnssec_algo'] == $data['new']['dnssec_algo']) {
-			if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) {
+			if (file_exists($dns_config['bind_keyfiles_dir'].'/dsset-'.$domain.'.')) {
 				return $this->soa_dnssec_update($data);
 			} else if ($data['new']['dnssec_initialized'] == 'Y') { //In case that we generated keys but the dsset-file was not generated
 				$keycount=0;
-				foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {
+				foreach (glob($dns_config['bind_keyfiles_dir'].'/K'.$domain.'*.key') as $keyfile) {
 					$keycount++;
 				}
 				if ($keycount > 0) {
@@ -116,11 +116,11 @@ class bind_plugin {
 		$dnssec_algo = explode(',',$data['new']['dnssec_algo']);
 
 		//* Create the Zone Signing and Key Signing Keys
-		if(in_array('ECDSAP256SHA256',$dnssec_algo) && count(glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key')) == 0) {
-			$app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
+		if(in_array('ECDSAP256SHA256',$dnssec_algo) && count(glob($dns_config['bind_keyfiles_dir'].'/K'.$domain.'.+013*.key')) == 0) {
+			$app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_keyfiles_dir'], $domain, $domain);
 		}
-		if(in_array('NSEC3RSASHA1',$dnssec_algo) && count(glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key')) == 0) {
-			$app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
+		if(in_array('NSEC3RSASHA1',$dnssec_algo) && count(glob($dns_config['bind_keyfiles_dir'].'/K'.$domain.'.+007*.key')) == 0) {
+			$app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_keyfiles_dir'], $domain, $domain);
 		}
 
 		$this->soa_dnssec_sign($data); //Now sign the zone for the first time
@@ -149,8 +149,8 @@ class bind_plugin {
 
 		//* Include ECDSAP256SHA256 keys in zone
 		if(in_array('ECDSAP256SHA256',$dnssec_algo)) {
-			foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) {
-				$includeline = '$INCLUDE '.basename($keyfile);
+			foreach (glob($dns_config['bind_keyfiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) {
+				$includeline = '$INCLUDE ' . $keyfile;
 				if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n";
 				$keycount++;
 			}
@@ -158,8 +158,8 @@ class bind_plugin {
 
 		//* Include NSEC3RSASHA1 keys in zone
 		if(in_array('NSEC3RSASHA1',$dnssec_algo)) {
-			foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) {
-				$includeline = '$INCLUDE '.basename($keyfile);
+			foreach (glob($dns_config['bind_keyfiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) {
+				$includeline = '$INCLUDE ' . $keyfile;
 				if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n";
 				$keycount++;
 			}
@@ -171,20 +171,20 @@ class bind_plugin {
 		file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile);
 
 		//* Sign the zone and set it valid for max. 16 days
-		$app->system->exec_safe('cd ?; dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o ? -t ?', $dns_config['bind_zonefiles_dir'], $domain, $filespre.$domain);
+		$app->system->exec_safe('cd ?; dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o ? -K ? -t ?', $dns_config['bind_zonefiles_dir'], $domain, $dns_config['bind_keyfiles_dir'], $dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain);
 
 		//* Write Data back ino DB
-		$dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
+		$dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_keyfiles_dir'].'/dsset-'.$domain.'.');
 		$dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n";
 
 		if(in_array('ECDSAP256SHA256',$dnssec_algo)) {
-			foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) {
+			foreach (glob($dns_config['bind_keyfiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) {
 				$dnssecdata .= file_get_contents($keyfile)."\n\n";
 			}
 		}
 
 		if(in_array('NSEC3RSASHA1',$dnssec_algo)) {
-			foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) {
+			foreach (glob($dns_config['bind_keyfiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) {
 				$dnssecdata .= file_get_contents($keyfile)."\n\n";
 			}
 		}
@@ -213,7 +213,7 @@ class bind_plugin {
 			return false;
 		}
 
-		if (!$new && !file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) $this->soa_dnssec_create($data);
+		if (!$new && !file_exists($dns_config['bind_keyfiles_dir'].'/dsset-'.$domain.'.')) $this->soa_dnssec_create($data);
 
 		$dbdata = $app->db->queryOneRecord('SELECT id,serial FROM dns_soa WHERE id=?', intval($data['new']['id']));
 		$app->system->exec_safe('cd ?; named-checkzone ? ? | egrep -ho \'[0-9]{10}\'', $dns_config['bind_zonefiles_dir'], $domain, $dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain);
@@ -237,12 +237,12 @@ class bind_plugin {
 
 		$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
 
-		$key_files = glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*');
+		$key_files = glob($dns_config['bind_keyfiles_dir'].'/K'.$domain.'.+*');
 		foreach($key_files as $file) {
 			unlink($file);
 		}
 		unlink($dns_config['bind_zonefiles_dir'].'/'.$this->zone_file_prefix().$domain.'.signed');
-		unlink($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
+		unlink($dns_config['bind_keyfiles_dir'].'/dsset-'.$domain.'.');
 
 		if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id=?', intval($data['new']['id']));
 		$app->db->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id=?', intval($data['new']['id']));