DirectAdmin Virtualmin DNSSEC Cluster

Published on Oct 28 2021 in Backup Directadmin Virtualmin

DirectAdmin and Virtualmin can be used together to form a DNSSEC cluster. Domain created on any of them will create zone file on both and DNS records will be synchronized automatically by BIND.

This is a follow up to our earlier article on setting up DNS cluster. Now we will enhance it with DNSSEC.

DirectAdmin setup

Add in named.conf options section:

dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";

Then run /usr/local/directadmin/scripts/dnssec.sh install.

Webmin/Virtualmin setup

Run wget http://ftp.isc.org/isc/bind9/keys/9.7/bind.keys.v9_7 -O /etc/named.iscdlv.key.

Add in namded.conf options section:

dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";

Enable and enter a longer value (e.g. 180 days) at Webmin - Servers - BIND DNS Server - DNSSEC Key Re-Signing.

Enable Virtualmin - System Settings - Server Templates - Default Settings - BIND DNS Domain - Create DNSSEC key and sign new domains.

As admin go to Server Manager - DNS Administration - DNSSEC - Generate Keys then Sign Your Zone. Then check DS Record section and install the 2 DS records at parent domain zone (usually in your domain’s registrar panel).

Alternatively you may run:

/usr/local/directadmin/scripts/dnssec.sh keygen domain.com
/usr/local/directadmin/scripts/dnssec.sh sign domain.com
cat /var/named/dsset-domain.com.

When copying digest directly from /var/named/dsset-domain.com. make sure to remove spaces in it.

Modifications of DNS records in DirectAdmin by user (Account Manager - DNS Management) or admin (Server Manager - DNS Administration) result in automatic signing and distributing changes to slave.

After Create DNSSEC key and sign new domains is enabled there is nothing more to do in Virtualmin. Signed zones will be send to slave server automatically. Same goes for record modification from inside Webmin/Virtualmin.

You can see the DS redcords in Virtualmin - DNS Options - DNSSEC zone keys - DS records for registrar or directly in /var/named/dsset-domain.com.. Remove spaces in the latter if there are any in digest field. Install the DS records at parent domain zone (usually in your domain’s registrar panel).

Check installed DS records:

dnssec-checkds javavps.com
DS for KSK domain.com/008/26464 (SHA-1) found in parent
DS for KSK domain.com/008/26464 (SHA-256) found in parent

Alternatively use dig +trace +noadditional DS domain.com. @8.8.8.8 | grep DS or visit https://dnssec-analyzer.verisignlabs.com/

Articles