DNSSEC issue with subdomain

mlaraibyameen

I am encountering issues with DNSSEC, and my control panel is currently not functioning due to a DNS-related problem.

I have employed the "Enhance" installation for the main domain, lets say "domain.com", which has created several websites for distinct purposes, such as:

cpanel.domain.com for the Enhanced control panel
phpmyadmin.cpanel.domain.com for phpMyAdmin
webmail.cpanel.domain.com for Roundcube webmail
server2.domain.com for an additional server

Initially, I integrated glue records within Namecheap for my nameservers, ns1.domain.com and ns2.domain.com. Everything was functioning smoothly. However, upon the release of DNSSEC support by Enhance, which I had been anticipating for some time, I promptly enabled it for my main domain, domain.com. I noticed the availability of the DNSSEC option for each of the subdomain websites within Enhance. Subsequently, I enabled DNSSEC for all five websites, each with distinct DNS zones, and added five DS records in Namecheap.

However, I subsequently discovered that none of my subdomain websites, apart from the main domain, are operational. The subdomain websites, including cpanel.domain.com and others, are not resolving. They are only functional when I manually add their DNS entries to the "hosts" file on my laptop.

Upon investigating further, I realized that since cpanel.domain.com is a distinct zone and considered a subdomain, I need to add a "DS" record of my subdomain zone within the DNS records of the main domain. Unfortunately, there seems to be no option to add a "DS Record" in the Enhance platform. What steps should I take to address this situation?

Adam

Hi mlaraibyameen,

Sorry, this configuration isn't possible at the moment. We do have a solution coming very soon - subdomains will be created with the parent DNS zone rather than having their own zone and will therefore be able to be validated with the parent domain's DS records. I would suggest disabling DNSSEC on this domain until this feature is available.

manu

Adam any ETA on this? The subdomain’s DNS looks ugly with lot of unnecessary entries and quite confusing and doesn’t play well with cloudflare integration too.

Adam

It's on the roadmap for September. We're roughly on track at the moment.

Nickske00

Adam Any news about this? I wanted to open a new topic about this, but decided to search first. 😉

My original post:

After playing a little more with the panel I came across a DNSSEC limitation(?)

When you host your own dns, you will have a lot of 'websites' with the same domain, eg:
-panel.company.com
-phpmyadmin.company.com
-webmail.company.com

Then you add the 'company.com' website, this creates the main domain. When you enable DNS Sec on this main domain I would expect Enhance to also sign all the subs already present (and ones maybe created later), and insert those DS records in the main domain, but it doesn't. There is also no way to insert those manual through the panel, you can't select a DS records to add...

Is this something that is considered in the coming dns rewrite?

I can live with the manual enabling of DNS sec on the subs, but it needs to be possible to add those kind of records of course... 😉

Adam

Subdomains created within a website no longer have separate zones, this was added some time ago. Subdomains created as separate websites will still have their own zone (and always will) but we have an update coming to the DNS system to allow you to add DS records to the parent zone.

Nickske00

Adam Yeah, I mean subdomains as separate websites. You also have this with the domain you use for the panel urls. Enhance creates a zone for each of them (phpmyadmin, webmail, panel). As long as I can add the DS records to the parent zone in the future, it's fine for me. (auto signing and adding the DS records would be nice though...).

cristianuibar

Following this as well. Just had this problem with my staging domain (which is handled by our own NSs).

I want to be able to enable DNSSEC on the staging domain. Right now it works for the main domain but any other websites that have this staging domain will not work as the DNSSEC will fail for these.

amtech

Hi, any updates on this new feature? Is there an estimated release date?

nhybgtvfr

Any update on when DS records will be available?

seems to be a vital requirement to be able to use dnssec with service websites, or if i want to use subdomains as completely separate websites / packages

joran

Hi! This needs to be fixed ASAP!

mlaraibyameen

After Enhance added support for the “DS” record type, I am now able to sign my subdomains as well, although this still has to be done manually.

First, DNSSEC needs to be enabled for the main domain, for example, "domain.com", and the DS record must be added at the registrar, such as Namecheap.

Then, DNSSEC needs to be enabled for the control panel domain or any subdomain website, which in my case is "cpanel.domain.com". After DNSSEC is enabled, the DS record can be copied by clicking “View Raw” and then added to the DNS zone of the main domain.

The only remaining issue is the phpMyAdmin domain. It does not allow me to view DNS records or enable DNSSEC, which forced me to use phpmyadmin.secondarydomain.com, where DNSSEC is not enabled. It would be great if I could enable DNSSEC for the PMA website in the same way that I can for the CTL website or a normal website.

Since I do not use Global Webmail, I have not tested whether it allows DNSSEC or not.

I would like to request that, when DNSSEC is enabled for the primary domain, subdomains created under it should automatically have DNSSEC enabled as well, and their DS records should automatically be added to the main domain’s DNS zone for ease of use.

This would be especially helpful for users who use staging domains, as they currently need to manually create the DNSSEC entry and add the DS record to the parent domain every time in order for it to work.

Hope this helps.!