cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

DNSSEC support in Clustering

benny@cpanel.net shared this idea 4 years ago
Completed

As a server administrator I would like cPanel's DNSSEC implementation through PowerDNS to support clustered servers in addition to standalone servers.

Comments (35)

photo
11

Providers are supposed to operate between 2 and 7 DNS servers as part of the RFC requirements.


Therefore not having cluster support for DNSSEC makes it pretty pointless for us atm.

Please add this sooner rather than later.

photo
3

When this feature will available with cPanel DNSONLY version?

photo
1

It's not on the roadmap yet, but it's definitely something we want to see added!

photo
1

The implementation of DNSEC on DNS only should be a priority over the clustering solution.

photo
5

DNSSEC is essential to be available in the cluster. We are not going to shutdown a cluster because of DNSSEC!! PowerDNS in the cluster and DNSSEC is the way to go now...


Make it happen cPanel :-)

photo
4

Without support for cluster, DNSSEC + PowerDNS support is useless. Hope this gets implemented soon. :)

photo
2

We'd like to see DNSSEC support added to our cPanel DNS Clusters as well.


We're unable to use DNSSEC at the moment although it's already supported in cPanel.

Hope to see it arrive in version 62.

photo
3

This is a must have. I have 3 DNS Only Servers with 5 Web Servers clustered at the moment and DNSSEC is really needed in this envioment to help secure websites and server even more.

photo
5

Standaone dns server dnssec is so pointless. Smaller service providers usually dont implement such features. Cluster support is what we need

photo
2

Hello Everyone,


I am the Product Owner of the team that implemented DNSSEC in the first place. I want to take a second to talk about some of the issues that we are currently facing with doing DNSSEC on clustered systems.

  • DNSSEC data is stored in a local sqlite db on the cPanel & WHM server
  • That data needs to be shared with all systems in the cluster
  • That data contains private data could be compromised if not transferred securely
  • We would need a way to determine which data goes with which servers and when to delete the data when a record is resigned


We have been looking at several different methods of solving these issues.


The simplest would be a sqlite clustering option across all servers. You would have a separate sqlite db for each server in your cluster that the server containing the domains in the sqlite db would be the master and the other servers would simply mirror the data for that sqlite file. This could get quite messy, but would be the most accurate to the way we currently approach clustering.


The way I would prefer is to do a more overhauled solution to clustering that uses AXFRs. If you have worked much with the current DNS admin system in cPanel & WHM, you will know this is a vast departure from current functionality. This would require a lot more work and would take more time.


I would love to get your feedback to determine which solution would fit your customers needs.

photo
3

I'm all for a "quick & dirty" approach that closes the current gap in security features (in comparison to other interfaces) faster. To be honest, the whole clustering setup can get messy very quickly if you have multiple servers pushing to it anyway.

photo
2

If its about time, i'd rather have a master SQLite db running on a standalone server, have all servers contacts it for information. Easier to manage and would not load up new processes on the frontend web systems. Long term would be to have the DNSonly system merged into this or ideally Have DNSOnly / SQLOnly / MailOnly forks. But thats a topic for another comment.

photo
1

I'd give a massive thumbs up to the 'containerised' MailOnly, SQLonly and DNSonly ideas.


For now however, lets just get DNS fixed :)


In the past we have run a homebrew SQLonly pair of boxes, with master/master replication, sitting behind a pair of HAproxy boxes, with a fleet of 18 cpanel servers accessing them purely via the haproxy ip.

This however required custom scripts/hooks to enforce username uniqueness across all the cpanel boxes, and an ugly hack to join a machine to the sql cluster due to cpanels insistence on ssh'ing to the remote sql server as root in order to run some scripts.

This did however run without issue for well over 2 years, so demonstrates that the idea is not only feasible, but has been achieved albeit manually in the past.

Regards mailonly, this would be an enourmous plus for cpanel, as we could then have one or two primary mail exchangers, running mailscanner, and all the fluff, and would give the bayesian filters a much greater chance of detecting spam, compared to the bayes filter being local to each server.

I'd still expect all mail to actually be stored on the target cpanel server, and also still be used for webmail etc, but would give a 'single' point we need to expose to the world for inbound SMTP.

(Feel free to copy/paste this into the relevant feature requests)


Back to DNSonly, I'm against the idea of having a single 'master' sqlite db, as the whole point of a cluster is that *any* server can fail, without affecting the operation of the rest of the cluster in any way.


Im honestly at a loss though why the entire DNS operation can't be achieved using dns and AXFR requests.

The members of the dns cluster just need to trust each other, and in theory this would also allow a mixing of different dns servers, eg bind and nsd, rather than being forced to run one type of dns server on every machine.

I'd rather it take longer, but be done right, than rushing and bodging it!

photo
1

To clarify when I said "I'd rather it take longer, but be done right, than rushing and bodging it!"I was considering a few months, vs a few days.

2 years down the line and we still dont even have any idea of a design for DNSSEC clusters.

photo
1

With the current bind system, I believe DNS is sent over cPanel's API. would it be complicated to do the same for DNSSEC data ?

photo
1

Travis is out this week, but as soon as he's back in the office I'll make sure he's back here to respond to your feedback!

photo
1

@Monarobase,

We can stream it over the DNSAdmin API. However that system is a bit more cumbersome to work on, so we are evaluating all of the options before we commit to anything.

Our current focus for SpiderPig in 64 will be including a more standardized API token based authentication system.

photo
4

Just do what a lot of the service providers do already (as a patch for dns security) and create a hash for each account that you can regen when you want to with that database. Obviously there are better approaches but since DNS hijacking/mitm is becoming more common a simple solution would be better than years with no solution.

photo
2

DNSSEC in the cluster is realy needed and as cpanel as standalone dns already supports it cant be so hard to develope.


So hurry guys!

photo
2

It definitely seems like it should be easy, but introducing the cross-server interactions means there's a lot more that would need to be added to the product in order to do it right. The first step in doing it right here is the new token system that we released in version 64, which you can read about here:


https://documentation.cpanel.net/display/SDK/Guide+to+API+Authentication+-+API+Tokens

https://documentation.cpanel.net/display/64Docs/Manage+API+Tokens

photo
6

I really really really want to see this implemented soon. I think the feature should be top priority. Any updates on progress?

photo
1

Unfortunately, this isn't something we're adding quite yet, but it's still a high-priority for us. As soon as we're able to get any forward motion on this, I'll be back to update everyone.

photo
5

I can confirm. This is next thing in cpanel which "exists theoretically" but it is unusable. We are using clustering, so we need dnssec with clustering. Dnssec without clustering is pointless.


I have couple of political/government site which have in his new requirements using dnssec. I would like not to loos this customers...


Wojtek

photo
1

@Wojtek: Thanks for the feedback, and for the use-case. There's definitely a use for DNSSEC without clustering, though I do understand that it's not as useful for many of our webhosting providers.

photo
7

Most of your larger customers will use clusters.

This makes it more important than standalone server support for DNSSEC imho.

photo
6

As already said, DNSSEC without clustering is pointless. I'm pretty sure that every webhosting provider that really knows what is doing, wants this feature as soon as possible.

photo
2

So I use an outside DNS service that takes requests using AXFR. I was told that they should support and accept dnssec signed record however with the new powerdns and dnssec setting set, the zone transfers were failing.

Short story is I had to edit /etc/pdns/pdns.conf to allow the IPs of my dns provider first.


I have since learned that cpanel signs the records using nsec3 narrow version, which prevents AXFR from working! (yes apparently its a tiny bit better for preventing zone walking but please i am sure our customers are not going to be major targets for hackers with the kind of time to do all that work).

I also learned that we need to remove the narrow signing for it to work (and possibly this needs to be done for the cpanel dns only clustering to work as well?)


so here is my workaround


I have edited the file that creates the record (thanks Michael B for the help) located here: /usr/local/cpanel/Cpanel/NameServer/Conf/PowerDNS.pm

which allows me to sign records without the narrow and thus my zone transfers now work properly however now I am in the boat that this file will get overwritten on future cpanel updates but hopefully with some progress on this front, it wont be for long.


this is what i did

change this line


  1. my $return = _run_pdnssec( { 'args' => [ 'set-nsec3', $domain, $params, ( $config->{'nsec3_narrow'} ? 'narrow' : '' ) ] } );

to this line


  1. my $return = _run_pdnssec( { 'args' => [ 'set-nsec3', $domain, $params, ] } );

now when you create a DNSSEC zone in the cpanel, it will create it without narrow which allows for AXFR to work.


thanks!


p.s. i think it should be added to the feature request to allow the ability for us as administrators to choose how we sign the dnssec record (using nsec3 narrow or not).

photo
1

We are also supporting seeing this feature as soon as possible!


In Norway the registry for .no, NORID, actually gives a rebate on domain registrations for domains registered with DNSSEC. Since we are using clustering in cPanel to handle our DNS service and thus are using clustering (off course), we are actually loosing money using cPanel! The rebate is about $3 per domain registration, and with a normal price of about $7 for .no domains, we miss out on a large profit possibility here!


I really hope cPanel will consider speeding up implementation for DNSSEC support when using clustering!

photo
2

Same here, any update about that? DNSSEC without cluster support dont help or make sense.

photo
3

Dear cPanel staff,

This feature is 100% a must for today "operational standards" as dnssec will be a "defacto" standard.

That being said, I hope you're already working for an implementation of this feature.

Hope to hear good news very soon.

Thanks for your great job @ Cpanel ..

Kind Regards.

Admin

photo
2

Any update on DNSSEC support? As part of security and questions of the customers, we need it enabled.

photo
2

Any news on clustered support for DNSSec?

photo
1

Unfortunately no news yet, but this hasn't fallen out of our view. As soon as I have more information I'll be back to let everyone know!

photo
3

Please can we have an update on this? More and more customers are requesting this especially since Europe did the whole GDPR thing everyone is starting to look at data security as a whole in a much closer light and some that previously were unsure what DNSSEC even was are now requesting this as standard and having to migrate customers from a robust clustered server set to a single stand alone server is at best a stop gap.

photo
3

Luckily the change they announced in the above article, doesn't affect domains that don't use DNSSEC.

Organizations that do not use DNSSEC validation will be unaffected by the rollover.

photo
1

lucky ! but ... you know ... :-)

photo
3

Hi all! I can't give you a definitely timeline on this one yet, but as soon as we have one I'll post it here.

photo
7

This should be top priority for the next build of cpanel DNSonly in my opinion.


We too have a growing number of users expecting DNSSEC as standard, which is currently impossible due to us running a dns cluster (using bind)

photo
6

any update and progress ?

photo
1

hi we also would like to see this feature would make a huge difference in DNS feature list we could provide to clients if we would switch to cpanel.

photo
2

Any updates on this? Seems ICANN is stepping up pressure we need a solution from cPanel


https://www.icann.org/news/announcement-2019-02-22-en

photo
7

We have had a few requests for DNSSEC recently because of the ICANN’s warnings that some newspapers have extrapolated and made sound like the whole of internet is going down!

Almost all articles mention that ICANN recommends DNSSEC…

Customers don’t understand what it is but now know they want it! :)

photo
1

Right! I also don't understand that cPanel has no clear plan to implement it

photo
4

Although I understand the challenges that the cPanel development team faces in revamping the DNS and DNS Clustering implementation, I am pretty disappointed that it's apparently taking this long to come up with a solid plan. There has been SO much talk about European GDPR standards among IT-managers over the past years, that security related features such as DNSsec have become paramount in business use cases. DNSsec support without support for DNS Clustering is de facto useless for most implementations. I can't sell "Reliability or security, which one do you prefer?".

photo
5

Hey folks! There's no solid update at this time, still, but it was a topic of conversation among our product owners yesterday. As soon as I have one I'll let you know!

photo
7

It is impossible for cluster dns setups to sell hosting towards most government or company related services, DNSSEC is a must have and as already mentioned before GDPR causes DNSSEC to be a must have. If this doesent move we have to migrate our whole DNS system.

2 years ago the request was opend, nothing yet. We already lost several customers or had to setup some of them own nameserver because nothing moves here.

We understand that the dns cluster implementation needs to be planned wise, but seems it havent been started yet, so i assume it will still take a long time untill we see it.

photo
3

Tottally agree. Such delay is unintelligible

photo
4

We have requests weekly from customers who want dnssec on their domains, so hoping it will be implemented soon.

On a side note our country TLD gives rebate for domains with dnssec, so as a registrar with over 15000 domains there is quite the big loss of potential revenue.

photo
5

This is also a request that we get from our clients, I suggest you reconsider.

photo
3

I realize that this is not an easy task for cPanel, but I have to chime-in after 2 years since this feature request was started and ask - "pretty please?". Those of us who use cPanel's DNS clustering and our own DNS to provide shared hosting service to customers really need this. I truly appreciate cPanel's time and attention to this and hope that it will come to fruition soon.

photo
4

I lost a long term client today because they needed this installed as part of their overseas interactions. This was a painful loss and a big enough chuck to hurt, Please tell me this will get resolved at some point in the near future.

photo
3

I'm starting to feel the same pain. Having e-commerce customers on almost all continents in this climate of security concerns and clients wanting to make sure they meet all regulations, and depending on not losing those clients in order to survive in small shared hosting services, this has become a pinnacle issue. Fingers crossed that cPanel will be able to devote some time and resources to this important issue.

photo
3

I'm currently looking into using a commercial third-party plugin for this purpose due to increased demand from customers and cPanel not giving a definite reply to if/when they plan to integrate it for more than 2 years now.

It will just be a real PITA to change back to cPanel's solution if/when they decide to release one. I still shudder about all that went wrong when trying to switch to cPanel+Comodo Autossl....

photo
3

i got excited when i saw the notification email just now hoping the DNSEC option was now available in DNS Cluster shame it was a comment on this lack of DNSEC support now affecting buisnesses. feel the pain Gary this is now just such an important point which will only get more critical to DNS safe implementation hope for a resolve soon.....

photo
4

Besides it being a security issue, we're literally losing money DAILY due to cPanel NOT supporting DNSSEC in cPanel clusters, as our country's registry offers discounts for each domain name registered with DNSSEC and we have also seen long-term customers leave for not being able to offer DNSSEC! This is REALLY totally unacceptable at this stage!!

There's already a third party offering a plugin capable of DNSSEC. Why does cPanel not look into such plugins and create something similar? cPanel this is a big security flaw on your side i.m.h.o.! Get coding!!

photo
2

Its been too long!

photo
1

thanks for the update. waiting for September. It's really a must feature for clustering!


dot

photo
2

This has already been implemented by a third party.

https://applications.cpanel.net/listings/view/DNSSEC-Advanced-Plugin-for-cPanel-Clusters

Why doesnt cpanel simply buy this code and include it as standard, for a quick fix.

Long term however, removing the SPOF created here by only signing requests on ns1 would be a requirement - otherwise if your ns1 dies, so does the entire cluster, which kinda defeats the point of it being clustered to begin with.

photo
9

Hey all! Just a quick update to say this is currently targeted at cPanel & WHM Version 84, which is aimed at being released in September. As always, it's very, very early in the development cycle and many things can move in the meantime, but I wanted to give y'all that quick update. We'll be back with more information as soon as we have it!

photo
2

WOW THIS IS A GREAT NEWS! You're very welcome ... Now I've a true <3 @ cpanel!

photo
1

TWO years old request, now becoming true. You guys are improving the timing ;-) Thanks in advance

photo
2

This is just great news. Can't wait to test this out.

photo
1

Do you know if this will be using Bind or PowerDNS? We are looking at refreshing our cPanel DNS Only cluster in the next couple of months, most likely using PowerDNS however would be nice to confirm which application will be supporting DNSSEC in a cluster to save having to redo everything for DNSSEC support.

photo
3

Very excited to update you guys on the status of this project. I can confirm that DNSSEC clustering will be done with PowerDNS for better performance and lower maintenance compared to BIND. Please continue to send us your feedback while we develop!

photo
1

@Rieza,

Will this by any chance run with a MySQL backend? Please say yesss ahaha

photo
1

Hey @Lucas, we're headed in that direction and if you haven't already, please upvote the feature request for MySQL backend for PDNS.

photo
1

Great news! Looking forward!

photo
2

Hi Benny, any news about this? Is this still on track for v84? Thanks.

Replies have been locked on this page!