Skip to content

DNSSEC-Implementation for BIND-Users (Including TLSA for DANE)

Alex von Firesplash requested to merge darkalex/ispconfig3:dns-dnssec into stable-3.1

This implements DNSSEC on a full automatic base. Whenever a zone gets added, changed or deleted it will be signed (or in case of deletion the keys get deleted) This adds full dnssec capabilities to the system.

Hints:

  • DNSKEY-Records are not visible within ISPConfig as they get added by a script by the server cron.
  • If there is low available entropy (<400 bits) new keys will not generate. In this case the zonefile (which was never signed before) stays unsigned until next change of soa or any rr in that zone. IF a key exists zone files will always be signed.
  • I recommend installing haveged - especially on VMs - which raises available entropy by a huge amount of bits
  • only de and en language included.
  • DNSSEC can be switched on/off on a per zone base and is only available for primary zones (of course).
  • Zone-Transfers will transfer the signed zone if DNSSEC is enabled for the originating zone

The scripts have been tested on my productive 3.0 server for about 4 weeks as well as a functional test for any scenarios I thought about in my 3.1 testing environment.

More info (older version): https://www.howtoforge.com/community/threads/bit-hacky-implementation-of-dnssec-patch-and-tlsa-dane.71829/

ANOTHER HINT: Currently the New zone Wizard is not working. This also happens in latest ISPC master branch so I ignored that and filed a bug report: http://bugtracker.ispconfig.org/index.php?do=details&task_id=4069

//Edit: One more note: I left the wizard/templates unchanged as it is buggy at the moment. Providing a checkbox to switch dnssec_wanted between Y and N is up to you here. Should not be too complicated though...

Merge request reports