DNSSEC support in Clustering

Providers are supposed to operate between 2 and 7 DNS servers as part of the RFC requirements.

Therefore not having cluster support for DNSSEC makes it pretty pointless for us atm.

Please add this sooner rather than later.

When this feature will available with cPanel DNSONLY version?

DNSSEC is essential to be available in the cluster. We are not going to shutdown a cluster because of DNSSEC!! PowerDNS in the cluster and DNSSEC is the way to go now...

Make it happen cPanel :-)

Without support for cluster, DNSSEC + PowerDNS support is useless. Hope this gets implemented soon. :)

We'd like to see DNSSEC support added to our cPanel DNS Clusters as well.

We're unable to use DNSSEC at the moment although it's already supported in cPanel.

Hope to see it arrive in version 62.

This is a must have. I have 3 DNS Only Servers with 5 Web Servers clustered at the moment and DNSSEC is really needed in this envioment to help secure websites and server even more.

Standaone dns server dnssec is so pointless. Smaller service providers usually dont implement such features. Cluster support is what we need

Hello Everyone,

I am the Product Owner of the team that implemented DNSSEC in the first place. I want to take a second to talk about some of the issues that we are currently facing with doing DNSSEC on clustered systems.

• DNSSEC data is stored in a local sqlite db on the cPanel & WHM server
• That data needs to be shared with all systems in the cluster
• That data contains private data could be compromised if not transferred securely
• We would need a way to determine which data goes with which servers and when to delete the data when a record is resigned

We have been looking at several different methods of solving these issues.

The simplest would be a sqlite clustering option across all servers. You would have a separate sqlite db for each server in your cluster that the server containing the domains in the sqlite db would be the master and the other servers would simply mirror the data for that sqlite file. This could get quite messy, but would be the most accurate to the way we currently approach clustering.

The way I would prefer is to do a more overhauled solution to clustering that uses AXFRs. If you have worked much with the current DNS admin system in cPanel & WHM, you will know this is a vast departure from current functionality. This would require a lot more work and would take more time.

I would love to get your feedback to determine which solution would fit your customers needs.

If its about time, i'd rather have a master SQLite db running on a standalone server, have all servers contacts it for information. Easier to manage and would not load up new processes on the frontend web systems. Long term would be to have the DNSonly system merged into this or ideally Have DNSOnly / SQLOnly / MailOnly forks. But thats a topic for another comment.

With the current bind system, I believe DNS is sent over cPanel's API. would it be complicated to do the same for DNSSEC data ?

Travis is out this week, but as soon as he's back in the office I'll make sure he's back here to respond to your feedback!

@Monarobase,

We can stream it over the DNSAdmin API. However that system is a bit more cumbersome to work on, so we are evaluating all of the options before we commit to anything.

Our current focus for SpiderPig in 64 will be including a more standardized API token based authentication system.

Just do what a lot of the service providers do already (as a patch for dns security) and create a hash for each account that you can regen when you want to with that database. Obviously there are better approaches but since DNS hijacking/mitm is becoming more common a simple solution would be better than years with no solution.

DNSSEC in the cluster is realy needed and as cpanel as standalone dns already supports it cant be so hard to develope.

So hurry guys!

I really really really want to see this implemented soon. I think the feature should be top priority. Any updates on progress?

Same here, any update about that? DNSSEC without cluster support dont help or make sense.

Dear cPanel staff,

This feature is 100% a must for today "operational standards" as dnssec will be a "defacto" standard.

That being said, I hope you're already working for an implementation of this feature.

Hope to hear good news very soon.

Thanks for your great job @ Cpanel ..

Kind Regards.

Admin

Any update on DNSSEC support? As part of security and questions of the customers, we need it enabled.

Any news on clustered support for DNSSec?

Is there any progress regarding DNSSEC in a cluster? It's very important for us because customers are requesting it to comply with certain laws and rules. They are now forced to use other solutions.

Unfortunately no news yet, but this hasn't fallen out of our view. As soon as I have more information I'll be back to let everyone know!

Please can we have an update on this? More and more customers are requesting this especially since Europe did the whole GDPR thing everyone is starting to look at data security as a whole in a much closer light and some that previously were unsure what DNSSEC even was are now requesting this as standard and having to migrate customers from a robust clustered server set to a single stand alone server is at best a stop gap.

We need DNSsec in cluster urgently becouse of ICANN

https://www.us-cert.gov/ncas/current-activity/2018/09/27/DNSSEC-Key-Signing-Key-Rollover

Hi all! I can't give you a definitely timeline on this one yet, but as soon as we have one I'll post it here.

We have had a few requests for DNSSEC recently because of the ICANN’s warnings that some newspapers have extrapolated and made sound like the whole of internet is going down!

Almost all articles mention that ICANN recommends DNSSEC…

Customers don’t understand what it is but now know they want it! :)

Right! I also don't understand that cPanel has no clear plan to implement it

Although I understand the challenges that the cPanel development team faces in revamping the DNS and DNS Clustering implementation, I am pretty disappointed that it's apparently taking this long to come up with a solid plan. There has been SO much talk about European GDPR standards among IT-managers over the past years, that security related features such as DNSsec have become paramount in business use cases. DNSsec support without support for DNS Clustering is de facto useless for most implementations. I can't sell "Reliability or security, which one do you prefer?".

Hey folks! There's no solid update at this time, still, but it was a topic of conversation among our product owners yesterday. As soon as I have one I'll let you know!

It is impossible for cluster dns setups to sell hosting towards most government or company related services, DNSSEC is a must have and as already mentioned before GDPR causes DNSSEC to be a must have. If this doesent move we have to migrate our whole DNS system.

2 years ago the request was opend, nothing yet. We already lost several customers or had to setup some of them own nameserver because nothing moves here.

We understand that the dns cluster implementation needs to be planned wise, but seems it havent been started yet, so i assume it will still take a long time untill we see it.

Tottally agree. Such delay is unintelligible

We have requests weekly from customers who want dnssec on their domains, so hoping it will be implemented soon.

On a side note our country TLD gives rebate for domains with dnssec, so as a registrar with over 15000 domains there is quite the big loss of potential revenue.

This is also a request that we get from our clients, I suggest you reconsider.

I realize that this is not an easy task for cPanel, but I have to chime-in after 2 years since this feature request was started and ask - "pretty please?". Those of us who use cPanel's DNS clustering and our own DNS to provide shared hosting service to customers really need this. I truly appreciate cPanel's time and attention to this and hope that it will come to fruition soon.