DNSSEC (SKINS)

Version 1.441

Feature
Finished

Guide to enable DNSSEC: https://help.directadmin.com/item.php?id=651 --------------- Documentation: For now, it's only at the Admin Level -> DNS Admin in the Enhanced skin. After testing, it will be added to the other skins, and to the User Level. directadmin.conf option: dnssec=0 which is the internal default. To enable it add: dnssec=1 and restart DA. Global token: HAVE_DNSSEC=yes|no if it's enabled. --------------------------------------------------------------------------------------------------- SCRIPT new script: /usr/local/directadmin/scripts/dnssec.sh ./dnssec.sh install ./dnssec.sh keygen <domain> ./dnssec.sh sign <domain> The "install" may need you to manually add bits to your named.conf. --------------------------------------------------------------------------------------------------- MONTHLY RESET will automatically re-sign all zones that have keys and already signed. If a zone has keys, but is not signed, this domain will be skipped --------------------------------------------------------------------------------------------------- TASK.QUEUE echo "action=rewrite&value=dnssec" >> /usr/local/directadmin/data/task.queue will issue a re-signing, with the same rules as with the monthly reset. That being said, this not to be used for the intial key/signing. (it won't do anything without the key/signs already in place) You do not need to add this as a cronjob. The monthly reset will re-sign the zones automatically.. this is just a manual way to re-sign the zones if needed. (requires that they already have keys) --------------------------------------------------------------------------------------------------- MULTI-SERVER SETUP by default, this will be the directadmin.conf value: dnssec_mss_use_signed_zone=1 meaning if you're using the MSS (multi-server setup), DA will send over the signed zone to the remote box, rather than the raw zone you'd be editing. Note, DA will also not let you edit a signed zone on a remote box because it's format is fairly different and DA can't read it (at this time) plus going backwards to a raw zone would just get very messy. For DNSSEC always edit from the main dns server to send the signed zones (from where the keys live) --------------------------------------------------------------------------------------------------- SKINS admin/dns_admin_control.html New token for the dnssec table, added below the Add Record table. |DNSSEC_TABLE| --------------------------------------------------------------------------------------------------- NOT USED, but FYI: The named.db template has a non-used token: |INCLUDE_DNSSEC_KEYS| which, if added, and the ksk and zsk keys exist, DA will add: $include /var/named/domain.com.zsk.key; $include /var/named/domain.com.ksk.key; This method was droped, and the $include lines are instead only added to a temp copy of the zone, rather than the main file. This keeps is cleaner, so that the zone can exist without the keys.

Interested to try DirectAdmin? Get a 30-day Free Trial!