DNSSEC support in Clustering
Open Discussion
As a server administrator I would like cPanel's DNSSEC implementation through PowerDNS to support clustered servers in addition to standalone servers.
As a server administrator I would like cPanel's DNSSEC implementation through PowerDNS to support clustered servers in addition to standalone servers.
Unfortunately no news yet, but this hasn't fallen out of our view. As soon as I have more information I'll be back to let everyone know!
Providers are supposed to operate between 2 and 7 DNS servers as part of the RFC requirements.
Therefore not having cluster support for DNSSEC makes it pretty pointless for us atm.
Please add this sooner rather than later.
When this feature will available with cPanel DNSONLY version?
DNSSEC is essential to be available in the cluster. We are not going to shutdown a cluster because of DNSSEC!! PowerDNS in the cluster and DNSSEC is the way to go now...
Make it happen cPanel :-)
Without support for cluster, DNSSEC + PowerDNS support is useless. Hope this gets implemented soon. :)
We'd like to see DNSSEC support added to our cPanel DNS Clusters as well.
We're unable to use DNSSEC at the moment although it's already supported in cPanel.
Hope to see it arrive in version 62.
This is a must have. I have 3 DNS Only Servers with 5 Web Servers clustered at the moment and DNSSEC is really needed in this envioment to help secure websites and server even more.
Standaone dns server dnssec is so pointless. Smaller service providers usually dont implement such features. Cluster support is what we need
Hello Everyone,
I am the Product Owner of the team that implemented DNSSEC in the first place. I want to take a second to talk about some of the issues that we are currently facing with doing DNSSEC on clustered systems.
We have been looking at several different methods of solving these issues.
The simplest would be a sqlite clustering option across all servers. You would have a separate sqlite db for each server in your cluster that the server containing the domains in the sqlite db would be the master and the other servers would simply mirror the data for that sqlite file. This could get quite messy, but would be the most accurate to the way we currently approach clustering.
The way I would prefer is to do a more overhauled solution to clustering that uses AXFRs. If you have worked much with the current DNS admin system in cPanel & WHM, you will know this is a vast departure from current functionality. This would require a lot more work and would take more time.
I would love to get your feedback to determine which solution would fit your customers needs.
If its about time, i'd rather have a master SQLite db running on a standalone server, have all servers contacts it for information. Easier to manage and would not load up new processes on the frontend web systems. Long term would be to have the DNSonly system merged into this or ideally Have DNSOnly / SQLOnly / MailOnly forks. But thats a topic for another comment.
With the current bind system, I believe DNS is sent over cPanel's API. would it be complicated to do the same for DNSSEC data ?
Travis is out this week, but as soon as he's back in the office I'll make sure he's back here to respond to your feedback!
@Monarobase,
We can stream it over the DNSAdmin API. However that system is a bit more cumbersome to work on, so we are evaluating all of the options before we commit to anything.
Our current focus for SpiderPig in 64 will be including a more standardized API token based authentication system.
Just do what a lot of the service providers do already (as a patch for dns security) and create a hash for each account that you can regen when you want to with that database. Obviously there are better approaches but since DNS hijacking/mitm is becoming more common a simple solution would be better than years with no solution.
DNSSEC in the cluster is realy needed and as cpanel as standalone dns already supports it cant be so hard to develope.
So hurry guys!
I really really really want to see this implemented soon. I think the feature should be top priority. Any updates on progress?
Same here, any update about that? DNSSEC without cluster support dont help or make sense.
Dear cPanel staff,
This feature is 100% a must for today "operational standards" as dnssec will be a "defacto" standard.
That being said, I hope you're already working for an implementation of this feature.
Hope to hear good news very soon.
Thanks for your great job @ Cpanel ..
Kind Regards.
Admin
Any update on DNSSEC support? As part of security and questions of the customers, we need it enabled.
Any news on clustered support for DNSSec?
Is there any progress regarding DNSSEC in a cluster? It's very important for us because customers are requesting it to comply with certain laws and rules. They are now forced to use other solutions.
Unfortunately no news yet, but this hasn't fallen out of our view. As soon as I have more information I'll be back to let everyone know!
Please can we have an update on this? More and more customers are requesting this especially since Europe did the whole GDPR thing everyone is starting to look at data security as a whole in a much closer light and some that previously were unsure what DNSSEC even was are now requesting this as standard and having to migrate customers from a robust clustered server set to a single stand alone server is at best a stop gap.
We need DNSsec in cluster urgently becouse of ICANN
https://www.us-cert.gov/ncas/current-activity/2018/09/27/DNSSEC-Key-Signing-Key-Rollover
Hi all! I can't give you a definitely timeline on this one yet, but as soon as we have one I'll post it here.
Comments have been locked on this page!