DNSSEC support in Clustering

benny@cpanel.net shared this idea 10 months ago
Open Discussion

As a server administrator I would like cPanel's DNSSEC implementation through PowerDNS to support clustered servers in addition to standalone servers.

Comments (28)

photo
10

Providers are supposed to operate between 2 and 7 DNS servers as part of the RFC requirements.

Therefore not having cluster support for DNSSEC makes it pretty pointless for us atm.

Please add this sooner rather than later.

photo
3

When this feature will available with cPanel DNSONLY version?

photo
1

It's not on the roadmap yet, but it's definitely something we want to see added!

photo
1

The implementation of DNSEC on DNS only should be a priority over the clustering solution.

photo
photo
5

DNSSEC is essential to be available in the cluster. We are not going to shutdown a cluster because of DNSSEC!! PowerDNS in the cluster and DNSSEC is the way to go now...

Make it happen cPanel :-)

photo
4

Without support for cluster, DNSSEC + PowerDNS support is useless. Hope this gets implemented soon. :)

photo
2

We'd like to see DNSSEC support added to our cPanel DNS Clusters as well.

We're unable to use DNSSEC at the moment although it's already supported in cPanel.

Hope to see it arrive in version 62.

photo
3

This is a must have. I have 3 DNS Only Servers with 5 Web Servers clustered at the moment and DNSSEC is really needed in this envioment to help secure websites and server even more.

photo
4

Standaone dns server dnssec is so pointless. Smaller service providers usually dont implement such features. Cluster support is what we need

photo
2

Hello Everyone,

I am the Product Owner of the team that implemented DNSSEC in the first place. I want to take a second to talk about some of the issues that we are currently facing with doing DNSSEC on clustered systems.

  • DNSSEC data is stored in a local sqlite db on the cPanel & WHM server
  • That data needs to be shared with all systems in the cluster
  • That data contains private data could be compromised if not transferred securely
  • We would need a way to determine which data goes with which servers and when to delete the data when a record is resigned

We have been looking at several different methods of solving these issues.

The simplest would be a sqlite clustering option across all servers. You would have a separate sqlite db for each server in your cluster that the server containing the domains in the sqlite db would be the master and the other servers would simply mirror the data for that sqlite file. This could get quite messy, but would be the most accurate to the way we currently approach clustering.

The way I would prefer is to do a more overhauled solution to clustering that uses AXFRs. If you have worked much with the current DNS admin system in cPanel & WHM, you will know this is a vast departure from current functionality. This would require a lot more work and would take more time.

I would love to get your feedback to determine which solution would fit your customers needs.

photo
2

I'm all for a "quick & dirty" approach that closes the current gap in security features (in comparison to other interfaces) faster. To be honest, the whole clustering setup can get messy very quickly if you have multiple servers pushing to it anyway.

photo
photo
1

If its about time, i'd rather have a master SQLite db running on a standalone server, have all servers contacts it for information. Easier to manage and would not load up new processes on the frontend web systems. Long term would be to have the DNSonly system merged into this or ideally Have DNSOnly / SQLOnly / MailOnly forks. But thats a topic for another comment.

photo
1

I'd give a massive thumbs up to the 'containerised' MailOnly, SQLonly and DNSonly ideas.

For now however, lets just get DNS fixed :)

In the past we have run a homebrew SQLonly pair of boxes, with master/master replication, sitting behind a pair of HAproxy boxes, with a fleet of 18 cpanel servers accessing them purely via the haproxy ip.

This however required custom scripts/hooks to enforce username uniqueness across all the cpanel boxes, and an ugly hack to join a machine to the sql cluster due to cpanels insistence on ssh'ing to the remote sql server as root in order to run some scripts.

This did however run without issue for well over 2 years, so demonstrates that the idea is not only feasible, but has been achieved albeit manually in the past.

Regards mailonly, this would be an enourmous plus for cpanel, as we could then have one or two primary mail exchangers, running mailscanner, and all the fluff, and would give the bayesian filters a much greater chance of detecting spam, compared to the bayes filter being local to each server.

I'd still expect all mail to actually be stored on the target cpanel server, and also still be used for webmail etc, but would give a 'single' point we need to expose to the world for inbound SMTP.

(Feel free to copy/paste this into the relevant feature requests)

Back to DNSonly, I'm against the idea of having a single 'master' sqlite db, as the whole point of a cluster is that *any* server can fail, without affecting the operation of the rest of the cluster in any way.

Im honestly at a loss though why the entire DNS operation can't be achieved using dns and AXFR requests.

The members of the dns cluster just need to trust each other, and in theory this would also allow a mixing of different dns servers, eg bind and nsd, rather than being forced to run one type of dns server on every machine.

I'd rather it take longer, but be done right, than rushing and bodging it!

photo
photo
1

With the current bind system, I believe DNS is sent over cPanel's API. would it be complicated to do the same for DNSSEC data ?

photo
1

Travis is out this week, but as soon as he's back in the office I'll make sure he's back here to respond to your feedback!

photo
1

@Monarobase,

We can stream it over the DNSAdmin API. However that system is a bit more cumbersome to work on, so we are evaluating all of the options before we commit to anything.

Our current focus for SpiderPig in 64 will be including a more standardized API token based authentication system.

photo
4

Just do what a lot of the service providers do already (as a patch for dns security) and create a hash for each account that you can regen when you want to with that database. Obviously there are better approaches but since DNS hijacking/mitm is becoming more common a simple solution would be better than years with no solution.

photo
2

DNSSEC in the cluster is realy needed and as cpanel as standalone dns already supports it cant be so hard to develope.

So hurry guys!

photo
2

It definitely seems like it should be easy, but introducing the cross-server interactions means there's a lot more that would need to be added to the product in order to do it right. The first step in doing it right here is the new token system that we released in version 64, which you can read about here:

https://documentation.cpanel.net/display/SDK/Guide+to+API+Authentication+-+API+Tokens

https://documentation.cpanel.net/display/64Docs/Manage+API+Tokens

photo
photo
5

I really really really want to see this implemented soon. I think the feature should be top priority. Any updates on progress?

photo
1

Unfortunately, this isn't something we're adding quite yet, but it's still a high-priority for us. As soon as we're able to get any forward motion on this, I'll be back to update everyone.

photo
5

I can confirm. This is next thing in cpanel which "exists theoretically" but it is unusable. We are using clustering, so we need dnssec with clustering. Dnssec without clustering is pointless.

I have couple of political/government site which have in his new requirements using dnssec. I would like not to loos this customers...

Wojtek

photo
1

@Wojtek: Thanks for the feedback, and for the use-case. There's definitely a use for DNSSEC without clustering, though I do understand that it's not as useful for many of our webhosting providers.

photo
6

Most of your larger customers will use clusters.

This makes it more important than standalone server support for DNSSEC imho.

photo
5

As already said, DNSSEC without clustering is pointless. I'm pretty sure that every webhosting provider that really knows what is doing, wants this feature as soon as possible.

photo
1

So I use an outside DNS service that takes requests using AXFR. I was told that they should support and accept dnssec signed record however with the new powerdns and dnssec setting set, the zone transfers were failing.

Short story is I had to edit /etc/pdns/pdns.conf to allow the IPs of my dns provider first.

I have since learned that cpanel signs the records using nsec3 narrow version, which prevents AXFR from working! (yes apparently its a tiny bit better for preventing zone walking but please i am sure our customers are not going to be major targets for hackers with the kind of time to do all that work).

I also learned that we need to remove the narrow signing for it to work (and possibly this needs to be done for the cpanel dns only clustering to work as well?)

so here is my workaround

I have edited the file that creates the record (thanks Michael B for the help) located here: /usr/local/cpanel/Cpanel/NameServer/Conf/PowerDNS.pm

which allows me to sign records without the narrow and thus my zone transfers now work properly however now I am in the boat that this file will get overwritten on future cpanel updates but hopefully with some progress on this front, it wont be for long.

this is what i did

change this line

  1. my $return = _run_pdnssec( { 'args' => [ 'set-nsec3', $domain, $params, ( $config->{'nsec3_narrow'} ? 'narrow' : '' ) ] } );

to this line

  1. my $return = _run_pdnssec( { 'args' => [ 'set-nsec3', $domain, $params, ] } );

now when you create a DNSSEC zone in the cpanel, it will create it without narrow which allows for AXFR to work.

thanks!

p.s. i think it should be added to the feature request to allow the ability for us as administrators to choose how we sign the dnssec record (using nsec3 narrow or not).

photo
1

We are also supporting seeing this feature as soon as possible!

In Norway the registry for .no, NORID, actually gives a rebate on domain registrations for domains registered with DNSSEC. Since we are using clustering in cPanel to handle our DNS service and thus are using clustering (off course), we are actually loosing money using cPanel! The rebate is about $3 per domain registration, and with a normal price of about $7 for .no domains, we miss out on a large profit possibility here!

I really hope cPanel will consider speeding up implementation for DNSSEC support when using clustering!

photo
photo
3

Any update about DNSSEC on cluster ? We really need it ...