Master



See merge request !274

DNSSEC-Implementation for BIND-Users (Including TLSA for DANE)

This implements DNSSEC on a full automatic base. Whenever a zone gets added, changed or deleted it will be signed (or in case of deletion the keys get deleted) This adds full dnssec capabilities to the system.

Hints:
- DNSKEY-Records are not visible within ISPConfig as they get added by a script by the server cron.
- If there is low available entropy (<400 bits) new keys will not generate. In this case the zonefile (which was never signed before) stays unsigned until next change of soa or any rr in that zone. IF a key exists zone files will always be signed.
- I recommend installing haveged - especially on VMs - which raises available entropy by a huge amount of bits
- only de and en language included.
- DNSSEC can be switched on/off on a per zone base and is only available for primary zones (of course).
- Zone-Transfers will transfer the signed zone if DNSSEC is enabled for the originating zone

The scripts have been tested on my productive 3.0 server for about 4 weeks as well as a functional test for any scenarios I thought about in my 3.1 testing environment.

More info (older version): https://www.howtoforge.com/community/threads/bit-hacky-implementation-of-dnssec-patch-and-tlsa-dane.71829/

ANOTHER HINT: Currently the New zone Wizard is not working. This also happens in latest ISPC master branch so I ignored that and filed a bug report: http://bugtracker.ispconfig.org/index.php?do=details&task_id=4069


//Edit:
One more note: I left the wizard/templates unchanged as it is buggy at the moment. Providing a checkbox to switch dnssec_wanted between Y and N is up to you here. Should not be too complicated though...

See merge request !269

Added sone lines to rmeoting api description file for dns (I hope thats correct...)

Conflicts:
	install/lib/installer_base.lib.php

Master



See merge request !273

FS#4070 - DMARC CNAMES cannot be added to ISPConfig



See merge request !271

This one also sets type SPF as well as two records within DNS as of RFC4408
Hop that's okay?

This is a considered as stable stable release. (tested the workflow successfully)
Note: I am not perfect at RegEx I know the RegEx for LOC- and DS-Records is actually not checking. The DS-Regex is definitely valid (tested on regexpal).
Along with my dns-status modification this should not be a problem at all.

Next step is to implement some DNSSEC-Requiring Record Types uon request of some others (will be within this branch before removing the WIP state)

Conflicts:
	install/sql/incremental/upd_dev_collection.sql

Signing is not working, I need a energy drink to proceed...

Supposed behaviour just committing to have a point to roll back ICoE