4 posts / 0 new
Last post
#1 Sat, 03/21/2009 - 14:31
rrhode

DNSSEC

Hi there,

I am migrating from a host which has Fedora Core 1 with Plesk 8.1 and seems to have DNSSEC installed on my domains.

I am curious if I can upgrade this to Virtualmin with DNSSEC or if DNSSEC is totally useless or what. I don't know how I would go about migrating this from one server to another or if it matters if I use the same files/keys or whatever DNSSEC uses.

I read that it is not fully supported by everything yet so there may be no Virtualmin documentation to set it up properly. I sure can't find out how to do it properly. I thought I set it up but when I just created a new virtual server it has been sitting at the "Creating DNSSEC key for new domain .." step for about 20 minutes now. I am guessing it isn't working properly and so I figure maybe I will just have to go back and remove the half created virtual server... Is this the right practice for failed created virtual servers?

Should I just shut DNSSEC off and forget about it?

Ryan<br><br>Post edited by: rrhode, at: 2009/03/21 14:32

Sat, 03/21/2009 - 15:25
Joe
Joe's picture

DNSSEC is supported by Virtualmin. I'm not actually sure how it's configured, since I've not yet tried it myself. Given that most things are automatic in Virtualmin, you probably just need to set up DNSSEC in the BIND module in Webmin.

I'll ask Jamie to chime in on this thread, and then I'll put whatever he says into the docs.

--

Check out the forum guidelines!

Sat, 03/21/2009 - 15:57 (Reply to #2)
Joe
Joe's picture

This hang is probably caused by the dnssec-keygen command taking a long time to generate a new random key. You can safely just SSH into the system and kill that process to make the domain creation continue.

I've only seen this happen when a non-default DNSSEC key type is selected, or if the system doesn't have enough entropy to generate a random key.

That said, at this point in time DNSSEC isn't really that useful, as the root and .com zones have not been signed. So DNS clients cannot actually verify most zones with DNSSEC! So you really might as well just turn it off ..

--

Check out the forum guidelines!

Sat, 03/21/2009 - 19:00
rrhode

Perfect, thanks guys! I really appreciate your input =)

Topic locked