DNSSEC support in Clustering

It's not on the roadmap yet, but it's definitely something we want to see added!

The implementation of DNSEC on DNS only should be a priority over the clustering solution.

I'm all for a "quick & dirty" approach that closes the current gap in security features (in comparison to other interfaces) faster. To be honest, the whole clustering setup can get messy very quickly if you have multiple servers pushing to it anyway.

I'd give a massive thumbs up to the 'containerised' MailOnly, SQLonly and DNSonly ideas.

For now however, lets just get DNS fixed :)

In the past we have run a homebrew SQLonly pair of boxes, with master/master replication, sitting behind a pair of HAproxy boxes, with a fleet of 18 cpanel servers accessing them purely via the haproxy ip.

This however required custom scripts/hooks to enforce username uniqueness across all the cpanel boxes, and an ugly hack to join a machine to the sql cluster due to cpanels insistence on ssh'ing to the remote sql server as root in order to run some scripts.

This did however run without issue for well over 2 years, so demonstrates that the idea is not only feasible, but has been achieved albeit manually in the past.

Regards mailonly, this would be an enourmous plus for cpanel, as we could then have one or two primary mail exchangers, running mailscanner, and all the fluff, and would give the bayesian filters a much greater chance of detecting spam, compared to the bayes filter being local to each server.

I'd still expect all mail to actually be stored on the target cpanel server, and also still be used for webmail etc, but would give a 'single' point we need to expose to the world for inbound SMTP.

(Feel free to copy/paste this into the relevant feature requests)

Back to DNSonly, I'm against the idea of having a single 'master' sqlite db, as the whole point of a cluster is that *any* server can fail, without affecting the operation of the rest of the cluster in any way.

Im honestly at a loss though why the entire DNS operation can't be achieved using dns and AXFR requests.

The members of the dns cluster just need to trust each other, and in theory this would also allow a mixing of different dns servers, eg bind and nsd, rather than being forced to run one type of dns server on every machine.

I'd rather it take longer, but be done right, than rushing and bodging it!

It definitely seems like it should be easy, but introducing the cross-server interactions means there's a lot more that would need to be added to the product in order to do it right. The first step in doing it right here is the new token system that we released in version 64, which you can read about here:

https://documentation.cpanel.net/display/SDK/Guide+to+API+Authentication+-+API+Tokens

https://documentation.cpanel.net/display/64Docs/Manage+API+Tokens

Unfortunately, this isn't something we're adding quite yet, but it's still a high-priority for us. As soon as we're able to get any forward motion on this, I'll be back to update everyone.

I can confirm. This is next thing in cpanel which "exists theoretically" but it is unusable. We are using clustering, so we need dnssec with clustering. Dnssec without clustering is pointless.

I have couple of political/government site which have in his new requirements using dnssec. I would like not to loos this customers...

Wojtek

@Wojtek: Thanks for the feedback, and for the use-case. There's definitely a use for DNSSEC without clustering, though I do understand that it's not as useful for many of our webhosting providers.

Most of your larger customers will use clusters.

This makes it more important than standalone server support for DNSSEC imho.

As already said, DNSSEC without clustering is pointless. I'm pretty sure that every webhosting provider that really knows what is doing, wants this feature as soon as possible.

So I use an outside DNS service that takes requests using AXFR. I was told that they should support and accept dnssec signed record however with the new powerdns and dnssec setting set, the zone transfers were failing.

Short story is I had to edit /etc/pdns/pdns.conf to allow the IPs of my dns provider first.

I have since learned that cpanel signs the records using nsec3 narrow version, which prevents AXFR from working! (yes apparently its a tiny bit better for preventing zone walking but please i am sure our customers are not going to be major targets for hackers with the kind of time to do all that work).

I also learned that we need to remove the narrow signing for it to work (and possibly this needs to be done for the cpanel dns only clustering to work as well?)

so here is my workaround

I have edited the file that creates the record (thanks Michael B for the help) located here: /usr/local/cpanel/Cpanel/NameServer/Conf/PowerDNS.pm

which allows me to sign records without the narrow and thus my zone transfers now work properly however now I am in the boat that this file will get overwritten on future cpanel updates but hopefully with some progress on this front, it wont be for long.

this is what i did

change this line

1. my $return = _run_pdnssec( { 'args' => [ 'set-nsec3', $domain, $params, ( $config->{'nsec3_narrow'} ? 'narrow' : '' ) ] } );

to this line

1. my $return = _run_pdnssec( { 'args' => [ 'set-nsec3', $domain, $params, ] } );

now when you create a DNSSEC zone in the cpanel, it will create it without narrow which allows for AXFR to work.

thanks!

p.s. i think it should be added to the feature request to allow the ability for us as administrators to choose how we sign the dnssec record (using nsec3 narrow or not).

We are also supporting seeing this feature as soon as possible!

In Norway the registry for .no, NORID, actually gives a rebate on domain registrations for domains registered with DNSSEC. Since we are using clustering in cPanel to handle our DNS service and thus are using clustering (off course), we are actually loosing money using cPanel! The rebate is about $3 per domain registration, and with a normal price of about $7 for .no domains, we miss out on a large profit possibility here!

I really hope cPanel will consider speeding up implementation for DNSSEC support when using clustering!

Luckily the change they announced in the above article, doesn't affect domains that don't use DNSSEC.

Organizations that do not use DNSSEC validation will be unaffected by the rollover.

lucky ! but ... you know ... :-)

This should be top priority for the next build of cpanel DNSonly in my opinion.

We too have a growing number of users expecting DNSSEC as standard, which is currently impossible due to us running a dns cluster (using bind)

any update and progress ?