DNS Cluster and DNSSEC Questions

Community Support DNS
1

I’ve been using DNS Cluster setup for 3 servers. To be honest i do not really understand the differences between master or slave so im hoping to get some insight into my actual setup and how i can improve it with the introduction of DNSSEC.

What is the difference with DNS cluster and DNSSEC?

This is my current server setup : server1.domain.com or ns1, server2.domain.com or ns2 and server3.domain.com.

All domains use ns1 and ns2 for the name servers.

List Remote dns host
Server 1 : server2.domain.com
Server 2 : server1.domain.com
Server 3 : server1.domain.com and server2.domain.com

What is this setup? is it a master master slave ? IF this setup is wrong or not optimal please do provide suggestions.

Also recently after the 1.7 update one of the domain dns broke i attached a screenshot

Inkedwtf
Inkedwtf1258×628 69.7 KB

I had to delete all remote dns and re-add them.

Another issue is "Looks like your nameservers do not agree on the SOA serial. Ths SOA records as reported by your nameservers: "

How can SOA serial be fixed?

2

How do you sync up DNS cluster?

Via the new method or the “old” default one

3

I guess it sync automatically via a cronjob . But when i need to manually sync i do use this "v-sync-dns-cluster host.domain.com " on all servers

Can you clarify what is the old and new method?

4

The old system only used the api…

And the new system also uses then rndc to sync up the config and that probally didn’t happen…

See:

5

Ive read that but i still don’t understand the differences? Is DNSSEC better? It doesn’t go too much into detail the differences and implementation for specific scenarios.

6

You mention the new system using rndc, im guessing that has nothing to do with dnssec?

Are you referring to “DNS clusters and DNSSEC | Hestia Control Panel

  • Create a new user on the Hestia server that will act as a “Slave”.
  • In /usr/local/hestia/conf/hestia.conf, change DNS_CLUSTER_SYSTEM='hestia' to DNS_CLUSTER_SYSTEM='hestia-zone'.
  • On the master server, open /etc/bind/named.options, do the following changes, then restart bind9 with systemctl restart bind9.

Are you talking about the above?

7

Yes …

8

So for my current servers setup ,

server1 ( Master )
Server2 (Slave and Master)
server3 dns on server1 and server2

Do i make master changes to both server 1 and 2 since both are actually master?

my question is simply put which server do i need to make the changes to?

9

How did you set up exactly:

Server 1:

DNS_CLUSTER_SYSTEM='hestia-zone'
DNS_CLUSTER='yes'
DNS_SYSTEM='bind9'

And

For Server 2 should be the same

Server 3. Should not matter unless it sync to server 1 and or 2.

10

server 3 syncs to server 1 and 2. So that ns1 -server1 and n2-server2 both have the dns records. Unless there is a more efficient way you can share?

11

How are both systems setup:

Did you made the changes in:

Other wise DNS will not work

12

Ive never made any changes before to the DNS on both servers. When i installed hestia last time in the documentation this did not exist. So i followed the old guide and all i did was create dns-cluster user

Like this :

Create the user dns-cluster on a server that will be used as dns slave
Run following command on a master

v-add-remote-dns-host slave.yourhost.com 8083 admin p4sw0rd

https://docs.hestiacp.com/admin_docs/dns.html

So for server 1 slave is server 2
and for server 2 slave is server 1

Both server 1 and server 2 have user dns-cluster

and for server 3 it sync to server 1 and 2.

13

Then you can 't use the DNSSEC as it requires setup via this method. Currently working on a patch to prevent this “behaviour” for systems working like that

14

Okay so i can’t use DNSSEC but should i still implement this below ?

DNS Cluster with the Hestia API (Master → Slave)

  • Create a new user on the Hestia server that will act as a “Slave”.
  • In /usr/local/hestia/conf/hestia.conf, change DNS_CLUSTER_SYSTEM='hestia' to DNS_CLUSTER_SYSTEM='hestia-zone'.
  • On the master server, open /etc/bind/named.options, do the following changes, then restart bind9 with systemctl restart bind9.
  • bash
# Change this line
allow-transfer { "none"; };
# To this
allow-transfer { your.slave.ip.address; };
# Or this, if adding multiple slaves
allow-transfer { first.slave.ip.address; second.slave.ip.address; };
# Add this line, if adding multiple slaves
also-notify { second.slave.ip.address; };
  • On the slave server, open /etc/bind/named.options, do the following changes, then restart bind9 with systemctl restart bind9:
  • bash
# Change this line
allow-recursion { 127.0.0.1; ::1; };
# To this
allow-recursion { 127.0.0.1; ::1; your.master.ip.address; };
# Add this line
allow-notify{ your.master.ip.address; };
  • Run the following command to enable the DNS server:

bash

v-add-remote-dns-host slave.yourhost.com 8083 'accesskey:secretkey' '' 'api' 'dns-user'
15

If you want to use DNS SEC those changes are mandetory.

16

So… that means there is no benefit of me implementing the changes above?

17

If you don’t plan to use DNSSEC no…

18

Thanks for explaining, so if thats the case then why does my dns servers become out of sync from time to time or glitched out to the point where i have to go on the slave server to delete the faulty dns entries like in my screenshot above you can see for some reason there are many empty NS entries that were created by itself overtime.

19

v-rebuid-dns-domains user will update the soa.

But don’t have DNSSEC enabled …

20

Hy,

i had installed 2 DNS Servers (Master → Slave) and it worked with the sync without DNSSEC.
Now i have a Problem that i want to enable DNSSEC and dont find the checkbox on Master.
I found out that if i change on Master the setting “DNS_CLUSTER_SYSTEM=‘hestia’” to “DNS_CLUSTER_SYSTEM=‘hestia-zone’” i can activate it, but it dont sync anymore to slave.

i have tested some things, but it dont work. My question is now how do i have to set the hestia.conf on master and hao on slave that it can sync and it is possible to enable DNSSEC.

or do i misunderstood something? brgds