starred/PowerDNS-Admin-PowerDNS-Admin
1
0
Fork 0
mirror of https://github.com/PowerDNS-Admin/PowerDNS-Admin.git synced 2026-04-25 08:45:55 +03:00
Code Issues Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #68] Enable/disable DNSSEC #45

New issue
Closed
opened 2026-02-26 10:35:47 +03:00 by kerem · 13 comments
kerem commented 2026-02-26 10:35:47 +03:00
Owner
Copy link

Originally created by @joachimtingvold on GitHub (Jul 2, 2016).
Original GitHub issue: https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues/68

Originally assigned to: @ivanfilippov on GitHub.

Hi,

Slightly relevant to #2 -- is PowerDNS-Admin supposed to automatically detect if a zone is DNSSEC-enabled?

Currently I have a zone that I have DNSSEC-enabled (via the proper PowerDNS utilities), and the different keys are present. The domain is still listed as "Disabled" within PowerDNS-Admin. However, clicking the "Disabled"-button, it shows the relevant DNSSEC-information.

I looked at the code, and I can't find anywhere where the dnssec option would be set to true. The only place I could find, was in Domain.update(), but since there are no place to set true/false within the GUI, this option is never set (regardless if Domain.get_domain_dnssec() is called when clicking on the "Disabled" button).

Originally created by @joachimtingvold on GitHub (Jul 2, 2016). Original GitHub issue: https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues/68 Originally assigned to: @ivanfilippov on GitHub. Hi, Slightly relevant to #2 -- is PowerDNS-Admin supposed to automatically detect if a zone is DNSSEC-enabled? Currently I have a zone that I have DNSSEC-enabled (via the proper PowerDNS utilities), and the different keys are present. The domain is still listed as "Disabled" within PowerDNS-Admin. However, clicking the "Disabled"-button, it shows the relevant DNSSEC-information. I looked at the code, and I can't find anywhere where the `dnssec` option would be set to `true`. The only place I could find, was in `Domain.update()`, but since there are no place to set true/false within the GUI, this option is never set (regardless if `Domain.get_domain_dnssec()` is called when clicking on the "Disabled" button).
kerem closed this issue 2026-02-26 10:35:47 +03:00
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@joachimtingvold commented on GitHub (Jul 2, 2016):

Another thing; the "Enabled"-button (when dnssec = true) should probably have a green (or green-ish) background (and not the grey it currently has).

<!-- gh-comment-id:230113835 --> @joachimtingvold commented on GitHub (Jul 2, 2016): Another thing; the "Enabled"-button (when `dnssec = true`) should probably have a green (or green-ish) background (and not the grey it currently has).
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@TacoScheltema commented on GitHub (Jul 3, 2016):

I totally agree with the green background for the dnssec button. I would also prefer if the width of the enabled button is the same as the disabled button, I think that would look better in the layout.

<!-- gh-comment-id:230145430 --> @TacoScheltema commented on GitHub (Jul 3, 2016): I totally agree with the green background for the dnssec button. I would also prefer if the width of the enabled button is the same as the disabled button, I think that would look better in the layout.
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@ivanfilippov commented on GitHub (Jul 3, 2016):

@jallakim I've replicated your issue, I'll look into it.

@jallakim @TacoScheltema The button should be green, that was something I missed during the migration from the old template into the new one. I've made the fix and I'll push it alongside the rest of the fix for the problem @jallakim described.

<!-- gh-comment-id:230169287 --> @ivanfilippov commented on GitHub (Jul 3, 2016): @jallakim I've replicated your issue, I'll look into it. @jallakim @TacoScheltema The button should be green, that was something I missed during the migration from the old template into the new one. I've made the fix and I'll push it alongside the rest of the fix for the problem @jallakim described.
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@ivanfilippov commented on GitHub (Jul 3, 2016):

@jallakim I spoke too soon, I replicated an issue but not your specific issue. It looks like there is a delay between modifying the domain via pdnsutil and the pdns API showing the change (the delay is somewhere between 1 and 5 seconds, and its randomness makes me think there is a rolling timer that updates the data after a change with pdnsutil), see the below log. I've bolded the times I ran the commands to show the time difference and where pdnsutil shows that DNSSEC was enabled, and where the API shows that it's not. The pdns database is updates instantly so it seems like it's only an API delay.:

powerdns-dev auth-4.0.0-alpha3 # date && pdns/pdnsutil --config-dir=. secure-zone dnssec.test
Sun Jul  3 13:21:03 MDT 2016
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone dnssec.test. secured
Adding NSEC ordering information
powerdns-dev auth-4.0.0-alpha3 # date && curl -s -H 'X-API-Key: 1234567890' http://127.0.0.1:2400/api/v1/servers/localhost/zones/dnssec.test | jq .
Sun Jul  3 13:21:07 MDT 2016
{
  "account": "",
  "dnssec": false,
  "id": "dnssec.test.",
  "kind": "Native",
  "last_check": 0,
  "masters": [],
  "name": "dnssec.test.",
  "notified_serial": 0,
  "rrsets": [
    {
      "comments": [],
      "name": "dnssec.test.",
      "records": [
        {
          "content": "a.misconfigured.powerdns.server. hostmaster.dnssec.test. 2016070301 10800 3600 604800 3600",
          "disabled": false
        }
      ],
      "ttl": 3600,
      "type": "SOA"
    }
  ],
  "serial": 2016070301,
  "soa_edit": "",
  "soa_edit_api": "DEFAULT",
  "url": "api/v1/servers/localhost/zones/dnssec.test."
}

@jallakim Are you sure your button still says Disabled when the domain has DNSSEC and it's not just gray?

I've fixed the color and width issue and submitted PR #71 for them.

<!-- gh-comment-id:230170766 --> @ivanfilippov commented on GitHub (Jul 3, 2016): @jallakim I spoke too soon, I replicated an issue but not your specific issue. It looks like there is a delay between modifying the domain via `pdnsutil` and the pdns API showing the change (the delay is somewhere between 1 and 5 seconds, and its randomness makes me think there is a rolling timer that updates the data after a change with `pdnsutil`), see the below log. I've bolded the times I ran the commands to show the time difference and where `pdnsutil` shows that DNSSEC was enabled, and where the API shows that it's not. The pdns database is updates instantly so it seems like it's only an API delay.: <pre> powerdns-dev auth-4.0.0-alpha3 # date && pdns/pdnsutil --config-dir=. secure-zone dnssec.test <b>Sun Jul 3 13:21:03 MDT 2016</b> Securing zone with default key size Adding CSK (257) with algorithm ecdsa256 <b>Zone dnssec.test. secured</b> Adding NSEC ordering information powerdns-dev auth-4.0.0-alpha3 # date && curl -s -H 'X-API-Key: 1234567890' http://127.0.0.1:2400/api/v1/servers/localhost/zones/dnssec.test | jq . <b>Sun Jul 3 13:21:07 MDT 2016</b> { "account": "", <b>"dnssec": false</b>, "id": "dnssec.test.", "kind": "Native", "last_check": 0, "masters": [], "name": "dnssec.test.", "notified_serial": 0, "rrsets": [ { "comments": [], "name": "dnssec.test.", "records": [ { "content": "a.misconfigured.powerdns.server. hostmaster.dnssec.test. 2016070301 10800 3600 604800 3600", "disabled": false } ], "ttl": 3600, "type": "SOA" } ], "serial": 2016070301, "soa_edit": "", "soa_edit_api": "DEFAULT", "url": "api/v1/servers/localhost/zones/dnssec.test." } </pre> @jallakim Are you sure your button still says Disabled when the domain has DNSSEC and it's not just gray? I've fixed the color and width issue and submitted PR #71 for them.
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@joachimtingvold commented on GitHub (Jul 4, 2016):

@ngoduykhanh, this issue is not fixed. I'll look into it later today with more details/answer to @ivanfilippov's comment.

<!-- gh-comment-id:230249258 --> @joachimtingvold commented on GitHub (Jul 4, 2016): @ngoduykhanh, this issue is not fixed. I'll look into it later today with more details/answer to @ivanfilippov's comment.
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@joachimtingvold commented on GitHub (Jul 4, 2016):

The width needs to be changed;

DNSSEC button width

I'll look at the other issue later.

<!-- gh-comment-id:230253748 --> @joachimtingvold commented on GitHub (Jul 4, 2016): The width needs to be changed; ![DNSSEC button width](http://files.jocke.no/b/dump_2016-07-04_11.59.42.png) I'll look at the other issue later.
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@joachimtingvold commented on GitHub (Jul 4, 2016):

@ivanfilippov, tested it now.

  • Created a new domain within PowerDNS-Admin. Set NS + A-records, and pushed/updated (so that it would propagate throughout to the slaves/whatnot). The DNSSEC-button is grey, and no DNSSEC-info is displayed.

Updated domain
No DNSSEC

  • Then made the DNSSEC-keys;
root@authdns-master:~# pdnsutil show-zone example.com
This is a Master zone
Last SOA serial number we notified: 2016070403 == 2016070403 (serial in the database)
Zone is not actively secured
Metadata items: 
    SOA-EDIT-API    INCEPTION-INCREMENT
No keys for zone 'example.com.'.
root@authdns-master:~# pdnsutil secure-zone example.com
Securing zone with default key size
Adding CSK (257) with algorithm ecdsa256
Zone example.com. secured
Adding NSEC ordering information 
root@authdns-master:~# pdnsutil show-zone example.com
This is a Master zone
Last SOA serial number we notified: 2016070403 == 2016070403 (serial in the database)
Metadata items: 
    SOA-EDIT-API    INCEPTION-INCREMENT
Zone has NSEC semantics
keys: 
ID = 14 (CSK), flags = 257, tag = 5636, algo = 13, bits = 256     Active ( ECDSAP256SHA256 ) 
CSK DNSKEY = example.com. IN DNSKEY <snip> 3 13 <snip> ; ( ECDSAP256SHA256 )
DS = example.com. IN DS 5636 13 1 5abce09474069403941868dccfc643ca7ea394cb ; ( SHA1 digest )
DS = example.com. IN DS 5636 13 2 b48181edb3e96fca8667444a440fac8139a22b150c5ec30013bbf81b704589df ; ( SHA256 digest )
DS = example.com. IN DS 5636 13 3 a6d277387b68b03dab04c628c1a0891f732f0444062fba2bf134ab965a2f3087 ; ( GOST R 34.11-94 digest )
DS = example.com. IN DS 5636 13 4 1fa85018eafbc61b0bb53e1342e66cb01774270194b26d7eb44df59cd6c0daeba3151d3f0109e5e3c052a270c9924b9e ; ( SHA-384 digest )
  • The domain is still listed as "Disabled" in the DNSSEC column. Updating the zone does not make any difference. The DNSSEC-information is shown, but dnssec is never set to true. And as mentioned; checking the code, I can't find any place where dnssec would be set to true.

Disabled
DNSSEC

  • Also, the buttons needs to be wider, as shown in my previous comment (-:
<!-- gh-comment-id:230271807 --> @joachimtingvold commented on GitHub (Jul 4, 2016): @ivanfilippov, tested it now. - Created a new domain within PowerDNS-Admin. Set NS + A-records, and pushed/updated (so that it would propagate throughout to the slaves/whatnot). The DNSSEC-button is grey, and no DNSSEC-info is displayed. ![Updated domain](http://files.jocke.no/b/dump_2016-07-04_13.32.16.png) ![No DNSSEC](http://files.jocke.no/b/dump_2016-07-04_13.32.28.png) - Then made the DNSSEC-keys; ``` root@authdns-master:~# pdnsutil show-zone example.com This is a Master zone Last SOA serial number we notified: 2016070403 == 2016070403 (serial in the database) Zone is not actively secured Metadata items: SOA-EDIT-API INCEPTION-INCREMENT No keys for zone 'example.com.'. root@authdns-master:~# pdnsutil secure-zone example.com Securing zone with default key size Adding CSK (257) with algorithm ecdsa256 Zone example.com. secured Adding NSEC ordering information root@authdns-master:~# pdnsutil show-zone example.com This is a Master zone Last SOA serial number we notified: 2016070403 == 2016070403 (serial in the database) Metadata items: SOA-EDIT-API INCEPTION-INCREMENT Zone has NSEC semantics keys: ID = 14 (CSK), flags = 257, tag = 5636, algo = 13, bits = 256 Active ( ECDSAP256SHA256 ) CSK DNSKEY = example.com. IN DNSKEY <snip> 3 13 <snip> ; ( ECDSAP256SHA256 ) DS = example.com. IN DS 5636 13 1 5abce09474069403941868dccfc643ca7ea394cb ; ( SHA1 digest ) DS = example.com. IN DS 5636 13 2 b48181edb3e96fca8667444a440fac8139a22b150c5ec30013bbf81b704589df ; ( SHA256 digest ) DS = example.com. IN DS 5636 13 3 a6d277387b68b03dab04c628c1a0891f732f0444062fba2bf134ab965a2f3087 ; ( GOST R 34.11-94 digest ) DS = example.com. IN DS 5636 13 4 1fa85018eafbc61b0bb53e1342e66cb01774270194b26d7eb44df59cd6c0daeba3151d3f0109e5e3c052a270c9924b9e ; ( SHA-384 digest ) ``` - The domain is still listed as "Disabled" in the DNSSEC column. Updating the zone does not make any difference. The DNSSEC-information is shown, but `dnssec` is never set to `true`. And as mentioned; checking the code, I can't find any place where `dnssec` would be set to `true`. ![Disabled](http://files.jocke.no/b/dump_2016-07-04_13.33.24.png) ![DNSSEC](http://files.jocke.no/b/dump_2016-07-04_13.33.37.png) - Also, the buttons needs to be wider, as shown in my previous comment (-:
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@ngoduykhanh commented on GitHub (Jul 4, 2016):

@jallakim : I guess you are using PostgreSQL as DB backend for PowerDNS-Admin, right?.
@ivanfilippov : The issue is the dnssec value isn't reloaded when we run domain.update(). It is same issue with #61 which is related to how we store the Boolean value in the PostgreSQL.

Fixed in 0bd488b9bc

<!-- gh-comment-id:230312220 --> @ngoduykhanh commented on GitHub (Jul 4, 2016): @jallakim : I guess you are using PostgreSQL as DB backend for PowerDNS-Admin, right?. @ivanfilippov : The issue is the `dnssec` value isn't reloaded when we run `domain.update()`. It is same issue with #61 which is related to how we store the Boolean value in the PostgreSQL. Fixed in 0bd488b9bc69fc8ee78a74ddceea61ebca0b4852
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@ivanfilippov commented on GitHub (Jul 4, 2016):

@ngoduykhanh Nice find!

While you're in there, can you also fix the width of the buttons themselves that I tried here: github.com/ngoduykhanh/PowerDNS-Admin@d0c40c09e5

I'd say get rid of the col-md-6 and just set the width with a width="10% or something similar (like we do for the edit and delete buttons in the domain.html template)

<!-- gh-comment-id:230313081 --> @ivanfilippov commented on GitHub (Jul 4, 2016): @ngoduykhanh Nice find! While you're in there, can you also fix the width of the buttons themselves that I tried here: https://github.com/ngoduykhanh/PowerDNS-Admin/commit/d0c40c09e521f588b272c48cacd797c384079dc8 I'd say get rid of the `col-md-6` and just set the width with a `width="10%` or something similar (like we do for the edit and delete buttons in the domain.html template)
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@joachimtingvold commented on GitHub (Jul 4, 2016):

@ngoduykhanh, correct, I'm using PostgreSQL as backend.

<!-- gh-comment-id:230316723 --> @joachimtingvold commented on GitHub (Jul 4, 2016): @ngoduykhanh, correct, I'm using PostgreSQL as backend.
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@ngoduykhanh commented on GitHub (Jul 4, 2016):

The width of DNSSEC column can be changed when the use resize their windows. I can't make sure 10% or something similar can fit the text so I set it to 100% width of the column in 7a0327d290 for the quick fix. It looks good to me, let me know if you don't like it :D

screen shot 2016-07-04 at 10 41 07 pm
<!-- gh-comment-id:230317154 --> @ngoduykhanh commented on GitHub (Jul 4, 2016): The width of DNSSEC column can be changed when the use resize their windows. I can't make sure 10% or something similar can fit the text so I set it to 100% width of the column in 7a0327d29000547f78d412cc47e8c3a1b8ab8309 for the quick fix. It looks good to me, let me know if you don't like it :D <img width="1015" alt="screen shot 2016-07-04 at 10 41 07 pm" src="https://cloud.githubusercontent.com/assets/6447444/16565652/fc18c644-4238-11e6-9695-d222d15fb8f2.png">
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@joachimtingvold commented on GitHub (Jul 4, 2016):

Works like a charm now. Thanks!

The 100% width is fine by me. Maybe a bit "intrusive" (due to it's size), but at least much better than "Enabled" and "Disabled" both being gray (-:

<!-- gh-comment-id:230318026 --> @joachimtingvold commented on GitHub (Jul 4, 2016): Works like a charm now. Thanks! The 100% width is fine by me. Maybe a bit "intrusive" (due to it's size), but at least much better than "Enabled" and "Disabled" both being gray (-:
kerem commented 2026-02-26 10:35:48 +03:00
Author
Owner
Copy link

@liudonghua123 commented on GitHub (Apr 30, 2024):

I use pschiffe/pdns-mysql docker image which I need to config PDNS_gmysql_dnssec=yes env to enable DNSSEC, see also https://github.com/pschiffe/docker-pdns/issues/82.

<!-- gh-comment-id:2084658564 --> @liudonghua123 commented on GitHub (Apr 30, 2024): I use [pschiffe/pdns-mysql](https://hub.docker.com/r/pschiffe/pdns-mysql/) docker image which I need to config `PDNS_gmysql_dnssec=yes` env to enable DNSSEC, see also https://github.com/pschiffe/docker-pdns/issues/82.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
qodana-automation-1514032984
qodana-branch-20251208-1740
dependabot/pip/werkzeug-3.1.4
dependabot/pip/python-ldap-3.4.5
dependabot/pip/authlib-1.6.5
dependabot/pip/dev/authlib-1.6.5
dependabot/npm_and_yarn/dev/bootstrap-datepicker-1.10.1
dependabot/npm_and_yarn/sweetalert2-11.22.4
dependabot/pip/dev/configobj-5.0.9
dependabot/pip/dev/zxcvbn-4.5.0
dependabot/pip/dev/zipp-3.23.0
dependabot/pip/dev/sqlalchemy-1.4.54
dependabot/pip/requests-2.32.4
dependabot/pip/setuptools-78.1.1
v0.4.3
add-sentry-support
qodana-automation-1161410675
qodana-automation-1769639544
dev
1536-application-settings-editor-overhaul
1601_refactor_domain_routes
v0.5.0-dev
v0.4.1
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2
v0.1
Labels
Clear labels   
bug / broken-feature

   
bug / broken-feature

   
docs / request

   
feature / request

   
help / other

   
mod / help-wanted
No labels
bug / broken-feature
bug / broken-feature
docs / request
feature / request
help / other
mod / help-wanted
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/PowerDNS-Admin-PowerDNS-Admin#45
No description provided.