Add support for DNSSEC #2938

jaapmarcus · 2022-09-21T17:34:22Z

Please note this PR is not stable and should not be used in production

Due the price raises for .ch domain without DNSSEC support it made sense to add support for it.

Please note Syncing "Hestia" API will not get supported due to issues with it.

To enable it change manually edit DNSSEC in /usr/local/hestia/data/user/{user}/dns.conf and set DNSSEC='no' to 'yes' or add "DNSSEC='yes'

Then rebuild it.

See update information on how to enable it in combination with zone transfer below...

Bug in v-add-dns-record Fix A new NS DNSKEY Mix up Don't add " Fix error Fix few typos

Bind need write access to the folder where .db file is stored

func/rebuild.sh

Need to improved to support json

jaapmarcus · 2022-09-23T14:00:19Z

Todo list

Restore Backup
Syncing
Idn support / check
general testing
Web UI

jaapmarcus · 2022-10-02T19:49:23Z

UI It self might need some ❤️

When deleting DNS domain it doesn't delete the keys

jaapmarcus · 2022-10-04T09:45:00Z

Do not update to this branch if your server contains critical domains

Install branch:
Run v-update-sys-hestia-git jaapmarcus feature/dnssec-support

If you are planning to use it under a "single" setup without any "DNS cluster" just enable DNSSEC and run v-list-dnssec-public-key user domain.com plain DS or v-list-dnssec-public-key user domain.com plain to get the required DS or DNSKEY

For setting up a DNS Cluster:
On the "master"

Run v-update-sys-hestia-git jaapmarcus feature/dnssec-support

nano /usr/local/hestia/conf/hestia.conf

And edit: DNS_CLUSTER_SYSTEM='hestia' to DNS_CLUSTER_SYSTEM='zone'

Open /etc/bind/named.options and change the following:

allow-transfer {"none";};
Remove "none" and add your slaves ip separated by a ;
Add
also-notify { slaveip; };

On your slave:
Run v-update-sys-hestia-git jaapmarcus feature/dnssec-support

Open /etc/bind/named.options and change the following:

allow-recursion { 127.0.0.1; ::1;};;
Add masterip;

Add
allow-notify{ masterip; };

Now setup the slave as you would normally do.

ScIT-Raphael

Testing went properly, couldnt find any bug.

jaapmarcus added 5 commits September 20, 2022 20:07

Solve issues with DNSKEY in v-add-dns-record

2c8aeac

Bug in v-add-dns-record Fix A new NS DNSKEY Mix up Don't add " Fix error Fix few typos

Add support for DS record

51e0619

Apply changes to user account

c5d20d0

Bind need write access to the folder where .db file is stored

Add support for DS type and allow . in common name

8a656a6

Add support for DNSSEC

2ab05db

ScIT-Raphael requested changes Sep 21, 2022

View reviewed changes

func/rebuild.sh Outdated Show resolved Hide resolved

jaapmarcus added 5 commits September 21, 2022 20:12

Remove hardcoded domain

c95d7c3

Fix permission issues

b9eb9f5

Make sure DS record is last and fix small issues

1ec343b

Add option to enable existing DNS domain and clean up everything

7c4c2a2

Get public key

e827bbf

Need to improved to support json

jaapmarcus and others added 18 commits September 24, 2022 14:31

Don't add DS records

411049a

Rebuild on changes

191a97b

Update rebuild.sh

7c55be5

Add rebuild.sh

9b15f91

Remove non needed lines

8f985d6

Fix error

bd10d6c

Add support for zonetransfer but Hestia create the slave record

14df36c

Fix error

82c4015

Fix error

d165535

Add new options to v-insert-dns-domain

131e5c4

Solve issue with remote creation

a709997

Update error

c3358c0

Adjust spacing

620ed71

Remove double space

b62aec0

Add inline signing

62095ae

Update some other scripts that might use v-insert-domain

4bb7002

Merge branch 'main' into feature/dnssec-support

1ccf626

Check if DNS-CLUSTER is set to yes and not if exists

603b39a

jaapmarcus added 10 commits September 27, 2022 11:27

Fix issues with IDN domains

c910078

Fix error

3915caa

Execute pipe before continue

acef5a0

Fix issue in sync-dns-cluster breaking everything

c348f24

DNS_CLUSTER_SYSTEM caused issues with DNS_CLUSTER

89067e7

Fixed an issue with rebuild and key is 4 digits long instead of 5

d9a4b94

Merge branch 'main' into feature/dnssec-support

8f925e5

Update v-list-dns-domain to include DNSSEC

c8ec794

Add more information

ca2d5c6

Add UI interface

1cc7833

jaapmarcus added 3 commits October 3, 2022 21:21

Fix bug in v-delete-dns-domain

61cda74

When deleting DNS domain it doesn't delete the keys

Backup DNSSEC keys

06d7fd7

Fix restore

a560fb5

jaapmarcus marked this pull request as ready for review October 3, 2022 19:59

Include DS record also

0e89c56

jaapmarcus requested a review from ScIT-Raphael October 4, 2022 08:40

jaapmarcus linked an issue Oct 4, 2022 that may be closed by this pull request

Feature: DNSSec for domains #786

Closed

jaapmarcus added 4 commits October 9, 2022 14:20

Merge branch 'main' into feature/dnssec-support

08cd023

Merge branch 'main' into feature/dnssec-support

23d0a2d

Update from element

8d3e88b

Add missing <div class="form-check">

42fd751

ScIT-Raphael approved these changes Oct 21, 2022

View reviewed changes

ScIT-Raphael merged commit bc4a07e into hestiacp:main Oct 21, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for DNSSEC #2938

Add support for DNSSEC #2938

jaapmarcus commented Sep 21, 2022 •

edited

jaapmarcus commented Sep 23, 2022 •

edited

jaapmarcus commented Oct 2, 2022

jaapmarcus commented Oct 4, 2022

ScIT-Raphael left a comment

Add support for DNSSEC #2938

Add support for DNSSEC #2938

Conversation

jaapmarcus commented Sep 21, 2022 • edited

jaapmarcus commented Sep 23, 2022 • edited

jaapmarcus commented Oct 2, 2022

jaapmarcus commented Oct 4, 2022

ScIT-Raphael left a comment

Choose a reason for hiding this comment

jaapmarcus commented Sep 21, 2022 •

edited

jaapmarcus commented Sep 23, 2022 •

edited