DNSSEC support in Clustering

It's not on the roadmap yet, but it's definitely something we want to see added!

The implementation of DNSEC on DNS only should be a priority over the clustering solution.

I'm all for a "quick & dirty" approach that closes the current gap in security features (in comparison to other interfaces) faster. To be honest, the whole clustering setup can get messy very quickly if you have multiple servers pushing to it anyway.

I'd give a massive thumbs up to the 'containerised' MailOnly, SQLonly and DNSonly ideas.

For now however, lets just get DNS fixed :)

In the past we have run a homebrew SQLonly pair of boxes, with master/master replication, sitting behind a pair of HAproxy boxes, with a fleet of 18 cpanel servers accessing them purely via the haproxy ip.

This however required custom scripts/hooks to enforce username uniqueness across all the cpanel boxes, and an ugly hack to join a machine to the sql cluster due to cpanels insistence on ssh'ing to the remote sql server as root in order to run some scripts.

This did however run without issue for well over 2 years, so demonstrates that the idea is not only feasible, but has been achieved albeit manually in the past.

Regards mailonly, this would be an enourmous plus for cpanel, as we could then have one or two primary mail exchangers, running mailscanner, and all the fluff, and would give the bayesian filters a much greater chance of detecting spam, compared to the bayes filter being local to each server.

I'd still expect all mail to actually be stored on the target cpanel server, and also still be used for webmail etc, but would give a 'single' point we need to expose to the world for inbound SMTP.

(Feel free to copy/paste this into the relevant feature requests)

Back to DNSonly, I'm against the idea of having a single 'master' sqlite db, as the whole point of a cluster is that *any* server can fail, without affecting the operation of the rest of the cluster in any way.

Im honestly at a loss though why the entire DNS operation can't be achieved using dns and AXFR requests.

The members of the dns cluster just need to trust each other, and in theory this would also allow a mixing of different dns servers, eg bind and nsd, rather than being forced to run one type of dns server on every machine.

I'd rather it take longer, but be done right, than rushing and bodging it!

To clarify when I said "I'd rather it take longer, but be done right, than rushing and bodging it!"I was considering a few months, vs a few days.

2 years down the line and we still dont even have any idea of a design for DNSSEC clusters.

It definitely seems like it should be easy, but introducing the cross-server interactions means there's a lot more that would need to be added to the product in order to do it right. The first step in doing it right here is the new token system that we released in version 64, which you can read about here:

https://documentation.cpanel.net/display/SDK/Guide+to+API+Authentication+-+API+Tokens

https://documentation.cpanel.net/display/64Docs/Manage+API+Tokens

Unfortunately, this isn't something we're adding quite yet, but it's still a high-priority for us. As soon as we're able to get any forward motion on this, I'll be back to update everyone.

I can confirm. This is next thing in cpanel which "exists theoretically" but it is unusable. We are using clustering, so we need dnssec with clustering. Dnssec without clustering is pointless.

I have couple of political/government site which have in his new requirements using dnssec. I would like not to loos this customers...

Wojtek

@Wojtek: Thanks for the feedback, and for the use-case. There's definitely a use for DNSSEC without clustering, though I do understand that it's not as useful for many of our webhosting providers.

Most of your larger customers will use clusters.

This makes it more important than standalone server support for DNSSEC imho.

As already said, DNSSEC without clustering is pointless. I'm pretty sure that every webhosting provider that really knows what is doing, wants this feature as soon as possible.

So I use an outside DNS service that takes requests using AXFR. I was told that they should support and accept dnssec signed record however with the new powerdns and dnssec setting set, the zone transfers were failing.

Short story is I had to edit /etc/pdns/pdns.conf to allow the IPs of my dns provider first.

I have since learned that cpanel signs the records using nsec3 narrow version, which prevents AXFR from working! (yes apparently its a tiny bit better for preventing zone walking but please i am sure our customers are not going to be major targets for hackers with the kind of time to do all that work).

I also learned that we need to remove the narrow signing for it to work (and possibly this needs to be done for the cpanel dns only clustering to work as well?)

so here is my workaround

I have edited the file that creates the record (thanks Michael B for the help) located here: /usr/local/cpanel/Cpanel/NameServer/Conf/PowerDNS.pm

which allows me to sign records without the narrow and thus my zone transfers now work properly however now I am in the boat that this file will get overwritten on future cpanel updates but hopefully with some progress on this front, it wont be for long.

this is what i did

change this line

1. my $return = _run_pdnssec( { 'args' => [ 'set-nsec3', $domain, $params, ( $config->{'nsec3_narrow'} ? 'narrow' : '' ) ] } );

to this line

1. my $return = _run_pdnssec( { 'args' => [ 'set-nsec3', $domain, $params, ] } );

now when you create a DNSSEC zone in the cpanel, it will create it without narrow which allows for AXFR to work.

thanks!

p.s. i think it should be added to the feature request to allow the ability for us as administrators to choose how we sign the dnssec record (using nsec3 narrow or not).

We are also supporting seeing this feature as soon as possible!

In Norway the registry for .no, NORID, actually gives a rebate on domain registrations for domains registered with DNSSEC. Since we are using clustering in cPanel to handle our DNS service and thus are using clustering (off course), we are actually loosing money using cPanel! The rebate is about $3 per domain registration, and with a normal price of about $7 for .no domains, we miss out on a large profit possibility here!

I really hope cPanel will consider speeding up implementation for DNSSEC support when using clustering!

Luckily the change they announced in the above article, doesn't affect domains that don't use DNSSEC.

Organizations that do not use DNSSEC validation will be unaffected by the rollover.

lucky ! but ... you know ... :-)

This should be top priority for the next build of cpanel DNSonly in my opinion.

We too have a growing number of users expecting DNSSEC as standard, which is currently impossible due to us running a dns cluster (using bind)

any update and progress ?

hi we also would like to see this feature would make a huge difference in DNS feature list we could provide to clients if we would switch to cpanel.

Any updates on this? Seems ICANN is stepping up pressure we need a solution from cPanel

https://www.icann.org/news/announcement-2019-02-22-en

I'm starting to feel the same pain. Having e-commerce customers on almost all continents in this climate of security concerns and clients wanting to make sure they meet all regulations, and depending on not losing those clients in order to survive in small shared hosting services, this has become a pinnacle issue. Fingers crossed that cPanel will be able to devote some time and resources to this important issue.

I'm currently looking into using a commercial third-party plugin for this purpose due to increased demand from customers and cPanel not giving a definite reply to if/when they plan to integrate it for more than 2 years now.

It will just be a real PITA to change back to cPanel's solution if/when they decide to release one. I still shudder about all that went wrong when trying to switch to cPanel+Comodo Autossl....

i got excited when i saw the notification email just now hoping the DNSEC option was now available in DNS Cluster shame it was a comment on this lack of DNSEC support now affecting buisnesses. feel the pain Gary this is now just such an important point which will only get more critical to DNS safe implementation hope for a resolve soon.....

Besides it being a security issue, we're literally losing money DAILY due to cPanel NOT supporting DNSSEC in cPanel clusters, as our country's registry offers discounts for each domain name registered with DNSSEC and we have also seen long-term customers leave for not being able to offer DNSSEC! This is REALLY totally unacceptable at this stage!!

There's already a third party offering a plugin capable of DNSSEC. Why does cPanel not look into such plugins and create something similar? cPanel this is a big security flaw on your side i.m.h.o.! Get coding!!

Its been too long!

thanks for the update. waiting for September. It's really a must feature for clustering!

WOW THIS IS A GREAT NEWS! You're very welcome ... Now I've a true <3 @ cpanel!

TWO years old request, now becoming true. You guys are improving the timing ;-) Thanks in advance

This is just great news. Can't wait to test this out.

Do you know if this will be using Bind or PowerDNS? We are looking at refreshing our cPanel DNS Only cluster in the next couple of months, most likely using PowerDNS however would be nice to confirm which application will be supporting DNSSEC in a cluster to save having to redo everything for DNSSEC support.

Very excited to update you guys on the status of this project. I can confirm that DNSSEC clustering will be done with PowerDNS for better performance and lower maintenance compared to BIND. Please continue to send us your feedback while we develop!

@Rieza,

Will this by any chance run with a MySQL backend? Please say yesss ahaha

Hey @Lucas, we're headed in that direction and if you haven't already, please upvote the feature request for MySQL backend for PDNS.

Great news! Looking forward!

Hi Benny, any news about this? Is this still on track for v84? Thanks.