DNSSEC Howto (Again) [#33108]

Submitted by sonoracomm on Tue, 05/06/2014 - 14:40 Pro Licensee

Hi,

We're migrating to a new Virtualmin Pro server based on CentOS 6 and we plan to implement a Virtualmin GPL in a remote VPS for secondary DNS and such.

What's the story with DNSSEC?

I know you introduced support a couple of years ago, but I have never gotten it to work (or more accurately, never wanted to spend the time it would take to get it working).

Is there any (Virtualmin) documentation yet on how to implement it? I didn't find any...

Can you tell me how to get it working? On New zones? On existing zones?

Will it sync with the secondary DNS server?

Is it worth the time and trouble?

Thanks,

Status:

Active

Comments

Submitted by andreychek on Tue, 05/06/2014 - 17:18 Comment #1

Howdy -- using DNSSEC should be as simple as going into System Settings -> Server Templates -> Default -> BIND DNS Domain, and enabling the various "Create DNSSEC key and sign new domains?" options in there.

One thing is that I don't know how it handles existing domains (Jamie would know this though, if you end up wanting to hear more about it).

However, I suspect if you disabled, then re-enable, the DNS feature for an existing domain, that it would enable DNSSEC for that domain at that time.

Submitted by sonoracomm on Thu, 06/26/2014 - 14:10 Pro Licensee Comment #2

Hi,

I'm documenting our internal notes for implementing Virtualmin DNSSEC and I ran into an issue that wasn't simple, so I'm asking here if there is an easier way.

The issue is DS (delegated signer) records which are needed to complete the chain of trust for DNSSEC signed domains.

We use ResellerClub as a domain registrar and they have a simple web form used to create the DS records at the registrar.

The bits needed to create the DS records are all in a file:

cat /var/named/dsset-domain.tld.

Is there a way to expose this data in the Virtualmin/Webmin interface?

It's easy at the CLI, but only for the root user.

Keytag (keyid)
    A number between 0 and 65535
    The fourth field in dsset-yourdomain.tld
Algorithm
    Probably RSA-SHA1
    The fifth field in dsset-yourdomain.tld
    5 = RSA-SHA1
Digest Type
    1 = 40-bit digest
    2 = 64-bit digest
    The sixth field in dsset-yourdomain.tld
Digest
    The last field in dsset-yourdomain.tld
    Remove the space when entering the 64-bit digest

Thanks in advance,

Submitted by JamieCameron on Fri, 06/27/2014 - 01:13 Comment #3

How about if this was displayed in Virtualmin, on the DNS Records page?

Submitted by sonoracomm on Fri, 06/27/2014 - 08:44 Pro Licensee Comment #4

Hi Jamie,

That sounds great.

If it's there already, I missed it...

Thanks,

Submitted by JamieCameron on Sat, 06/28/2014 - 00:37 Comment #5

No, I'll look into adding this.