ispconfig tlsa patch for dane using postfix

Hi There

I’ve added TLSA DNS RR support to my ispconfig server. This howto relies on my previous post which adds dnssec support to ispconfig.

Actually I’m using ubuntu 14.04 with most recent version of ispconfig 3. With ubuntu 14.04 you don’t need the bind ppa cause bind version in 14.04 supports auto keyrollover for dnssec singed zones.

Simply copy the files as following:

cd /usr/local/ispconfig/interface/web/dns
cp -av dns_srv_edit.php  dns_tlsa_edit.php
cp -av form/dns_srv.tform.php form/dns_tlsa.tform.php
cp -av templates/dns_srv_edit.htm templates/dns_tlsa_edit.htm
cp -av lib/lang/de_dns_srv.lng templates/dns_tlsa_edit.htm

Then run the patches agains every file mentioned in the patch.

Here the patch for the interface:
Here the patch for the server:

You also have to alter the table structure of dns_rr in dbispconfig. You only have to edit type as following:


Here some nice Firefox tool to verify your dnssec and tlsa records:

Here the config snippets from postfix’s

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane

Have fun!

dnssec verification with dig

Need to validate a dnssec signed zone manually?
Here some howto:
First wie need the ROOT zone key. Dig searches for the file in /etc/trusted-key.key and in the current directory. Therefore we do:

dig +tcp +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key

To verify a signed zone we do:

dig +multiline +sigchase

The last line of the output should be:

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Have fun!

bind9 ispconfig dnssec inline signing ubuntu 12.04


here some nice howto:

install ispconfig as shown on howtoforge:
http://www.howtoforg … -dovecot-ispconfig-3

install bind9.9 from ubuntu ppa because bind9.8 does not support inline-signing.
add to your sources list:

deb precise main 
deb-src precise main
aptitude install bind9

create directory for your zone keys and create em:

[code]mkdir /var/cache/bind/keys/
cd /var/cache/bind/keys/
dnssec-keygen -r /dev/urandom -f KSK domain.tld
dnssec-keygen -r /dev/urandom domain.tld
chown bind:bind *

(this should be patched too in ispconfig) hadn’t got the time for it

patch the ispconfig template as following:

--- a/usr/local/ispconfig/server/conf/bind_named.conf.local.master
+++ b/usr/local/ispconfig/server/conf/bind_named.conf.local.master
@@ -4,6 +4,8 @@
 zone "<tmpl_var name='zone'>" {
         type master;
 <tmpl_var name='options'>        file "<tmpl_var name='zonefile_path'>";
+       auto-dnssec maintain;
+       inline-signing yes;

add to your named.conf.options following line:

key-directory "/var/cache/bind/keys/";
service bind9 restart

you must push your DS-RR to your registrar
in my case
how to extract it out of your public key:

cd /var/cache/bind/keys/
dnssec-dsfromkey -1 Kdomain.tld.KSK#

here some nice links: … -9.9.0-Examples.html

have fun!