ISPmanager works with BIND (Berkeley Internet Name Domain) and PowerDNS that converts a DNS-name into an IP address and vice versa. The main benefit of BIND is that it is developed according to the official documentation which sets the rules for DNS-server management. According to the document, the DNS-server stores the information about domain names in files. PowerDNS is faster than BIND as it stores the information in a database. If you plan to use a large number of IP addresses, we recommend that you use PowerDNS.
ISPmanager can be configured as the master server. The master DNS-server stores the main copy of the domain zone file. The master server receives the domain zone information from the zone configuration files. Slave servers receive the domain zone configuration from the master server.
DNS-server settings are added into the configuration file and are used when creating domain zones. For more information please refer to the article Create a domain name.
Installing a domain name server
Perform the following steps to install a name server:
- Go to Settings → Features → select the Name server (DNS) → Edit.
- Select the DNS server.
- Click on Apply changes and wait when the installation is over.
Configuring a domain name server
To configure the DNS-server:
- Go to Domains → Domain names → Settings.
- Enter the Name servers that will handle the DNS records for this domain. They are specified in the NS-records.
- Enter the Administrator email. It is specified in the SOA records of the newly created domain zones. Learn more under Resource records.
- Enter the DMARC record. This is a template that used for a TXT-record. DMARC is a mechanism helps protect incoming email from spam, spoofing, and phishing.
- Enter the SPF record. This is a template that used for a TXT-record which is its term is used for SPF configuration. Use the macro "_ip_" to add IP addresses. IP addresses are specified separated by spaces in the SPFRelayIP parameter of the ISPmanager configuration file (the default location is /usr/local/mgr5/etc/ispmgr.conf). For more information please refer to the ISPmanager configuration file.
- Enter the Subdomains that will be automatically for the newly created domain name. They are specified in the A-records.
- Enter the Mail servers that will handle emails for this domain. They are specified in the MX-records. A full domain name must be followed by the dot (such as mail1.mydomain.com. mail2.mydomain.com.). If it is a record in the current domain, the dot is not required (mail1 mail2).
- IP addresses for name servers — If the NS-record lie within the domain zone being created, A and AAAA records will be created automatically for that domain zone. If this parameter is specified, IP addresses for the NS-record will be taken from this parameter. Otherwise, IP address of the master zone will be assigned to the first NS-record, the IP address of the slave zone will be assigned to all other records (if slave name servers are used). If slave name servers are not configured, or the NsIps parameter has insufficient IP addresses, you will see the error message.
- Server name for SOA-records — provide a value for the SOA-record, if you want the server name defined in the SOA-records (MNAME) to be different from the hostname of the server processing DNS requests. Leave this field blank if you are not sure that you really want to change it.
- Apply to existing — select the checkbox to apply the new settings to all domain zones of the server.
- Click on Ok.
To configure DNSSEC:
- Go to Domains → Domain names → Settings.
- Check the box DNSSEC support.
- Enter the key parameters. DNSSEC uses 2 types of keys: ZSK (Zone Signing Key) is used to sign records within the zone, and KSK (Key Signing Key) key is used to sign keys. Enter parameters for every key type:
- A lgorithm — select a key generation algorithm: Outdated algorithms: 5 — RSA/SHA-1; 7 — RSASHA1-NSEC3-SHA1; Modern algorithms: 8 — RSA/SHA-256; 10 — RSA/SHA-512; Newest algorithm: 13 — ECDSA Curve P-256 with SHA-256; 14 — ECDSA Curve P-384 with SHA-384.
- Key length — enter the KSK-key length (in bites).
- Renewal period — set the period in months that will pass before a new key will be generated.
Currently, DNSSEC supports only identical algorithms for keys.
For more information please refer to the article DNSSEC.