Hi There
I’ve added TLSA DNS RR support to my ispconfig server. This howto relies on my previous post which adds dnssec support to ispconfig. http://www.paranoids.at/bind9-ispconfig-dnssec-inline-signing-ubuntu-1204/
Actually I’m using ubuntu 14.04 with most recent version of ispconfig 3. With ubuntu 14.04 you don’t need the bind ppa cause bind version in 14.04 supports auto keyrollover for dnssec singed zones.
Simply copy the files as following:
cd /usr/local/ispconfig/interface/web/dns cp -av dns_srv_edit.php dns_tlsa_edit.php cp -av form/dns_srv.tform.php form/dns_tlsa.tform.php cp -av templates/dns_srv_edit.htm templates/dns_tlsa_edit.htm cp -av lib/lang/de_dns_srv.lng templates/dns_tlsa_edit.htm
Then run the patches agains every file mentioned in the patch.
Here the patch for the interface:
http://www.paranoids.at/downloads/ispconfig-tlsa-interface-patch.txt
Here the patch for the server:
http://www.paranoids.at/downloads/ispconfig-tlsa-server-patch.txt
You also have to alter the table structure of dns_rr in dbispconfig. You only have to edit type as following:
`type` enum('A','AAAA','ALIAS','CNAME','HINFO','MX','NAPTR','NS','PTR','RP','SRV','TLSA','TXT') DEFAULT NULL
Here some nice Firefox tool to verify your dnssec and tlsa records: https://www.dnssec-validator.cz/
Here the config snippets from postfix’s main.cf:
smtp_dns_support_level = dnssec smtp_tls_security_level = dane
Have fun!