FR: DNSSEC support in DA

[Arieh]

it means that you won't use the bind nameserver publicly, instead only let it notify the powerdns slave the DNS and let the powerdns be the public nameserver.

Thought I would probably use it if there isn't another choice, a full bind solution would be easier for admins as setting this all up is more custom work.

 

[explosive]

So, it's something like that?

NS1 & NS2 = pDNS slave, NS public
S1, S2... Sn = server with DA with BIND only local with relay to NS1(&NS2)

Comunication with Sn -> NSn is one way only? I mean - is possible to change something on NSn and then Sn also save this change?

 

[nobaloney]

Read this (inetdaemon.com)

... but note they make it seem a lot more complex than it is.

We use our Master2Slave DNS Replicator in a hidden master configuration, but it's not required.

Master2Slave DNS Replicator won't replicate DNSSEC, so it shouldn't be used with this plugin. Instead use whatever features the plugin offers for replication.

Jeff

 

[nobaloney]

Comunication with Sn -> NSn is one way only? I mean - is possible to change something on NSn and then Sn also save this change?

Communication is almost one-way.

What I mean is that if you change something on a slave, then it may or may not be overwriten by the hidden master the next time it does an update, depending on whether or not you've incremented the serial number on your master or slave.

Since DirectAdmin increments the serial number each time it changes anything, any changes to the Hidden Master by DirectAdmin should overwrite any changes you've made on the slave.

So do NOT make changes on the slave.

Jeff

 

[streamservice]

There is 1 remaining issue before we can release the plugin (incl. documentation). We need to get the domains the current user viewing the plugin page owns.

For this I added the code below, however it seems that the plugin isn't allowed to open the domains.list. Is there something we could do about this (without changing file rights).

<?php
$file1 = file('/usr/local/directadmin/data/users/'.getenv('USERNAME').'/domains.list');
foreach($file1 as $domain){
	$file2 = file('/usr/local/directadmin/data/users/'.getenv('USERNAME').'/domains/'.$domain.'.pointers');
	$domains[$domain]['domain'] = $domain;
	foreach($file2 as $domain2){
		$domains[$domain]['alias'][$domain2] = $domain2;
	}
}
var_dump($domains);
?>

For an example I have listed the user/rights below:
-rw------- 1 diradmin diradmin 8 Jul 12 2010 /usr/local/directadmin/data/users/drnl/domains.list

I did also check the user used for running the plugin, this is diradmin (provided by get_current_user).

Anything I'm missing and should alter to solve this issue? As this is the last problem I have before I can make the plugin public. Another source to create a domain list is also an option.

 

[zEitEr]

There is 1 remaining issue before we can release the plugin (incl. documentation). We need to get the domains the current user viewing the plugin page owns.

Hello,

API is at your service then:

CMD_API_SHOW_DOMAINS http://www.directadmin.com/features.php?id=336
CMD_API_DOMAIN_POINTER http://www.directadmin.com/features.php?id=382

 

[ditto]

Interesting reading/discussion about dnssec at Slashdot: 5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix

"Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule."

 

[moja]

Is this something that will implement DNSSEC into next release of DirectAdmin? http://directadmin.com/features.php?id=1396 Thank you for information. We have to implement DNSSEC ASAP, how to do that in DirectAdmin? I expect it should be implemented by DirectAdmin team direct into standard DA installation because DNSSEC is so common and basic thing at this moment that It cannot been ignored by any commercial hosting panel. Thank you very much.

 

[Petertjuh360]

How is it going now, with this feature?

 

[DirectAdmin Support]

Hello,

We're in the learning & research stage of the feature.
Once we've got a handle on that, we'll do a proof of concept to ensure our setup works correctly.
Then the coding/automation part usually falls into place fairly quickly.

John

 

[Petertjuh360]

Hello,

We're in the learning & research stage of the feature.
Once we've got a handle on that, we'll do a proof of concept to ensure our setup works correctly.
Then the coding/automation part usually falls into place fairly quickly.

John

Ok, thanks for your update!

 

[Petertjuh360]

Can you tell us more about DNSSEC in DirectAdmin now?
We are 2 months further.

I believe that supporting DNSSEC will be a good move, for the customers and future customers.

 

[Djunity]

is there any news to report or maybe even a time on when dnssec will be available in direct admin.
as we are in the dutch marked we notice we are really running behind on this in compare to the compatidors

 

[Petertjuh360]

is there any news to report or maybe even a time on when dnssec will be available in direct admin.
as we are in the dutch marked we notice we are really running behind on this in compare to the compatidors

I vouch for this.
DNSSEC is really growing in The Netherlands and if you have DNSSEC support, you are more attractive to customers.
This will also be a good progress for DirectAdmin.

 

[moja]

Please – we really need DNSSEC support built in DA. There are many requests for this feature many years ago, but this common thing has not been still implemented. Any ETA for this feature? Thank you very very much!

 

[pera]

the DNSSEC is really needed. Can it be done as payed plugin? So we support the development and then after about 1 year integrated in the standard update of DirectAdmin?

 

[streamservice]

And version 1.1 for our DNSSEC module is available at https://www.dnsshop.org/da_dnsshop_dnssec.tar.gz

This version requires the use of DnsShop for DNS hosting and new updates will come soon. Users can get the DS and DNSKEY for their domains, admins and resellers can also see it. I'll open a separate topic about this module. We are also working on releasing the scripts used for DnsShop, some are already public. However as long as we aren't ready to release the code we can only offer it as a paid service (we need to write all documentation, test things, etc. before releasing it).

 

[DirectAdmin Support]

+1 bump for DNSSEC!!

 

[DirectAdmin Support]

Oh wait, that's me.

Here you go:
http://www.directadmin.com/features.php?id=1525

It's in beta, but seems to be working. (has to be turned on in the directadmin.conf)
I've only added it to show up at the Admin Level for now, and only in the enhanced skin, so we can iron out any bugs or any design changes, as needed.

The changes are in the pre-release section, ready to go:
http://help.directadmin.com/item.php?id=408

John

 

[Petertjuh360]

Nice! Good to hear DirectAdmin is going with the future.