WIP: Implemented DNS-Zone-Replication via DB (fixes DNSSEC on mirrors)
I tested this on a demo Mirror-Setup (two servers, master with panel and slave as mirror) and it worked.
I did not remove the PHP-Code to hide the DNSSEC field. Well... Not yet!
Important: As I am using the "official way" of replicationg DB-Changes (the datalog) there are two things you should know:
First I added a field datalog_only_replication to dns_soa which will make the DNS-Master ignore the current datalog entry if set to 1 and just set the flag back to 0. This is cause it yould else cause an endless-loop (as every datalog causes a resign and every resign creates a datalog for replication)
Second signed zones a re much bigger than unsigned ones and every datalog-enty will contain both. If there is no prunning for old datalog-entries this will bloat the datalog table quite quick.
We could change the implementation but then we would need to introduce another remote-access and a half single point of failure. This means the master DB will eb the ONLY db holding the DNSSEC-Zone.
Further ths DNS-Master is still the only server having access to the keys. They should be backed up by the admin (but thats self-evident)
Please tell me what you think about this implementation @tbrehm :)
Wtill marked WIP as I am currently testing this further to not get new bugs again...