DNSSEC does not work correctly

Community Support
1

DNSsec does not work correctly.
After disabling DNSsec for a domain in the panel on secondary DNS servers, it is also disabled. When entering the panel on the secondary server, it is visible that the DNSsec checkbox is not checked. A red cross instead. But when checking the servers respond with a DNSKEY record. This should not be the case. What could be the problem?

212
212573×620 33.7 KB

1 Like
5

You should make any changes on the slave as the are not synced back any way…

6

Do I need to manually recreate zones on secondary slave servers?

7

No run v-sync-dns-cluster on the master

8

I don’t even run it. It’s just running in the cron:
*/2 * * * * sudo /usr/local/hestia/bin/v-update-sys-queue dns-cluster

But why is DNSKEY still there if I turned off DNSSEC on the main server?
I went into the web interface on two secondary servers, there is no check mark next to the DNSSEC domain, that is, everything is turned off, but the zone is given with DNSKEY

9

Log on the secondary DNS server at the moment of disabling DNSsec on the main one:

Mar 10 14:19:28 ns2 named[1140973]: client @0x7609a81edd28 152.xxx.xxx.xxx#53876: received notify for zone ‘testdomain.com
Mar 10 14:19:28 ns2 named[1140973]: zone testdomain.com/IN: notify from 152.xxx.xxx.xxx#53876: zone is up to date
Mar 10 14:19:33 ns2 named[1140973]: client @0x7609a81edd28 152.xxx.xxx.xxx#44315: received notify for zone ‘testdomain.com
Mar 10 14:19:33 ns2 named[1140973]: zone testdomain.com/IN: notify from 152.xxx.xxx.xxx#44315: zone is up to date

When running the dig command with certain parameters, DNSSEC also continues to respond.

;; ANSWER SECTION:
testdomain.com. 3600 IN DNSKEY 257 3 13 wR6NaOptn1CCyjKemoHWCUthzJpTnR5f+I2Ch2kgAO5Z8JL95YbFPdDC O96xw6FW9DbZIbvdCAgK4fjYwpKDgQ==
testdomain.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250324181727 20250310171727 17375 testdomain.com. qil4+4KSp0wv5rZS6rtwsiiZ7ep4YmVIrlmsmd6Vvi89xmNhFlpJapEV mkEKjHQ5EtHlR6nJ7mB+iXRtUzU+9Q==

That is, when disabling DNSSEC on the primary server, nothing is deleted on the two secondary servers.
Maybe I’m doing something wrong or don’t understand?

The DNS_CLUSTER_SYSTEM=‘hestia-zone’ parameter is present on the primary server. Everything is done as in the documentation. All other types of records work fine. At least I haven’t noticed any problems. But there’s trouble with DNSSEC.

10

Up
Problem actual