I use today a Virtual Server hosted at 1blu running on Debian Linux and on top I use Virtualmin/Webmin to manage it. Are there any options how to use my server with deSEC service?
I found a how to for my hosting provider 1blu (which means switching the config on hosting provider to use deSEC name servers via their customer portal and asking the support to setup DNSSEC in their central nameserver), sofar so good. My question is how do I sync all my DNS records (zone) manged by Virtualmin/Webmin for the virtual servers running on my server with deSEC service after that?
My Debian server has:
BIND9
Webmin as configuration UI
Virtualmin for setting up virtual hosts
BIND9 and Webmin both support DNSSEC.
I am already longer trying to get SFP, DMARC and DKIM working on my server, but no real success. I suspect my BIND9 daemon running on my Machine is at the end not Authoritative for all these settings, but instead the one of my hosting provider (1blu).
Do you want to migrate from your self-hosted BIND9 to deSEC (and shut down BIND9 when done)?
Or do you want to use both deSEC and your own BIND9 in parallel, possibly synchronising zone data between them automatically?
The former is relatively easy if you can get the zonefile (which I suppose Webmin writes for BIND). I do not think the deSEC API can directly import it but there are several third-party API clients. At least this one can import zonefiles to deSEC:
If you want to achieve the latter, I don’t think this is possible with deSEC. The main issue is that your own nameserver and deSEC’s can not share the private keys with which to sign DNS records. And this means that resolvers will observe inconsistent data between then nameservers.
You would need to find a DNS provider that supports acting as a secondary to your nameserver or allow setting up your nameserver as a secondary to theirs.
Indeed I realize now, that I didn’t explain so clear what I want to achieve
My pain points currently: I have issues receiving eMails after lately big companies enforce stricter policies on SPF, DMARC and DKIM and so my server is rejected when sending or receiving emails
Now this is what I experienced so far:
Most of these techniques provide relevant attributes over DNS. They involve providing DNS TXT records to work correctly.
At some point in time I found some recommendation that DNSSEC might increase the chance of getting these working and tried to setup DNSSEC in BIND9 (Webmin supports DNSSEC). Shortly after that found out my own BIND server is only partly authoritative for my own domain. My DNS setup hat a custom setup with 3 DNS Server, 1st is my BIND, the 2 DNS Authoritative ones from my domain / hosting provider.
Asked my hosting provider why is my setup not working and they said, send us your DNSSEC relevant setting and we will setup DNSSEC for your domain
Did not manage to do that until now.
Lately discovered deSEC service and thought why not using something that cool which is already managed by someone
I hoped I might finally get my issues solved with it.
After your reply I understand better now my options:
a. give up the local BIND server and move to deSEC (there is some migration effort, but I really have only a handful services on my server so not much to do)
b. sync of DNS zone data was not something I was really looking for
c. moving my domain to a better domain registrar
d. something else
Even I move to deSEC, I am still dependent on my Hosting/Domain provider, as long as my Domain is also hosted by them (their primary and secondary DNS server are still authoritative).
My previous linked howto for using deSEC with 1blu speak about Delegation, I suppose this uses DNS forwarding. My Hosting / Domain provider is still the authoritative server for my domain, but they just do DNS forwarding then to deSEC after I setup my config there as described in the linked post.
You seem to have many misconceptions about how DNS works. So let me address a few points:
Generally at least two authoritative NS in separate networks are required for a domain. This would be impossible to implement with a single BIND9 instance. Your setup would only make sense if the 1blu NS would sync with your BIND9 (hidden primary). But I don’t think 1blu NS can be configured that way. So your BIND9 NS will not really add anything except confusion.
Delegating a domain registered at 1blu to e.g. deSEC is possible. But it requires a support ticket to get the DS records in the parent zone set up correctly. (And this step is mandatory because deSEC requires a correct DNSSEC setup.)
deSEC NS can not act as secondary or primary NS with another NS because the DNSSEC private keys can not be shared. So either you migrate to deSEC for DNS and turn off your BIND9 instance or you need to look elsewhere for a solution.
The deSEC web interface allows importing a zone file while creating a domain.
If you don’t know which NS are your current authoritative NS then check whois or rdap for your domain. Or query the NS of the parent domain for the NS RRset of your domain. But your description seems to indicate 1blu authoritative NS and an additional non-authoritative NS in the form of your BIND9. This setup is bound to cause problems because the 3 NS will not be in sync.
Setting up TXT records should be possible with all DNS providers including 1blu. And SPF, DMARC and DKIM essentially all use TXT records. DNSSEC is a completely separate (though very desirable) thing, but it will not really help with reputation issues when sending email.
Delegating DNS to another DNS provider involves changing the NS RRset for the domain in the parent domain. It has nothing to do with DNS forwarding (which is a client / resolver thing). For a delegated domain the original (1blu) NS are completely out of the loop and will never be queried.
One additional hint: If you are trying to run a mail server at home behind dynamic IPs, forget it. Most mail providers will not accept your mail. You need a static IP that is not on any blocklists and you will need a reverse DNS entry for your hostname. Some mail providers may even require a website with an imprint.
Learn more about how DNS works?
Separate your DNS experiments from your mail server issues. They are mostly unrelated.
Forget about your BIND9 instance as in its current form it only adds confusion.
If you want DNSSEC, by all means switch to deSEC (or some other provider that offers DNSSEC). But this does not address any of your mail server issues.
Be aware that running your own mail server is not trivial. And it requires ongoing work to adapt to the ever changing requirements of other large mail providers. Setup of the server is fairly easy, but getting your mail accepted by other servers is not. There are lots of articles on the Internet on this subject and it is OT here. So enough said.
That said, there are lots of interesting sub-projects here if you are willing to learn. So have fun
