Skip to content

WIP: Implemented DNS-Zone-Replication via DB (fixes DNSSEC on mirrors)

I tested this on a demo Mirror-Setup (two servers, master with panel and slave as mirror) and it worked.

I did not remove the PHP-Code to hide the DNSSEC field. Well... Not yet!

Important: As I am using the "official way" of replicationg DB-Changes (the datalog) there are two things you should know:

First I added a field datalog_only_replication to dns_soa which will make the DNS-Master ignore the current datalog entry if set to 1 and just set the flag back to 0. This is cause it yould else cause an endless-loop (as every datalog causes a resign and every resign creates a datalog for replication)

Second signed zones a re much bigger than unsigned ones and every datalog-enty will contain both. If there is no prunning for old datalog-entries this will bloat the datalog table quite quick.

We could change the implementation but then we would need to introduce another remote-access and a half single point of failure. This means the master DB will eb the ONLY db holding the DNSSEC-Zone.

Further ths DNS-Master is still the only server having access to the keys. They should be backed up by the admin (but thats self-evident)

Please tell me what you think about this implementation @tbrehm :)

Wtill marked WIP as I am currently testing this further to not get new bugs again...

fixes #4179 and #3853 (closed)

Edited by Marius Burkard

Merge request reports