• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Problems with DNSSEC with some domains.

andreios

andreios

Regular Pleskian
Server operating system version
Ubuntu 22.04
Plesk version and microupdate number
18.0.59 Update #2
I have some domains on my server where DNSSEC works flawlessly, but also some where it simply doesn't work. I have already tried 'plesk repair dns -y' and 'plesk repair installation', regenerate the keys. Also I have a domain that gives the error:

Code: 
named[2037]: dns_dnssec_keylistfromrdataset: error reading keys/exampl.com/Kexample.com.+008+50383.private: file not found

I deleted the signed zone files for this domain, '/var/named/run-root/var/example.com.signed*' but the error still occurs.

In the attached files you see two domains with tewo different looking problems. The result is mixed with the debbug log from named.
 
Turns out the DNSKEYs are not saved correctly by Plesk, I can detect only one of the DNSKEYS as shown in Plesk in /var/keys/in-es.info/Kidomain.info
/*key
I have tried to regenerate the keys, and the files where replaced.
Code: 
-rw-r--r--  1 bind root  602 Apr 10 08:15 Kidomain.info.+008+02066.key
-rw-------  1 bind root 1,8K Apr 10 08:15 Kdomain.info.+008+02066.private
-rw-r--r--  1 bind root  428 Apr 10 08:15 Kdomain.info.+008+03595.key
-rw-------  1 bind root 1012 Apr 10 08:15 Kdomain.info.+008+03595.private
-rw-r--r--  1 bind root  603 Apr 10 08:15 Kdomain.info.+008+32254.key
-rw-------  1 bind root 1,8K Apr 10 08:15 Kdomain.info.+008+32254.private
But still only one key of the DNSKEYs from Plesk are there. On working domains both keys are found there.
Where did the wrong key from?
 
Yesterday I generated a new KEY for some domains for which DNSSEC did not work anyway, this time with ECDSAP256SHA256. No change, the DS entries are still missing.

However, I also tested one of the domains where DNSSEC was working to see if it would change if I generated a new key. The domain seemed to have problems with DNSSEC, but no missing DS entries.

But since this afternoon, without me changing anything, this domain has disappeared from the internet. Internet DNS servers are suddenly not deliver A and AAAA records and others for this domain. When I search on the DNS server of my hoster, all entries are there.

But when I query other servers or look here, I only see RRSIG and DS entries, nothing else. DNS Record Lookup - ViewDNS.info
 
The Domain delivers still DS Records even after I deactivated DNSSEC with Plesk. The Domain thinks it is signed but is not that's a problem. Even if I activate DNSSEC it is no correctly singed as it seems.
 
You must log in or register to reply here.

Similar threads

H.W.B
Issue DNSSEC with Ubuntu Problems
Replies
4
Views
2K
H.W.B
H.W.B
Thomas Wilhelmi
Issue DNSSEC on Ububtu 22.04 LTS
Replies
5
Views
1K
learning_curve
learning_curve
Ehud
Issue DNSSEC creation leaves website Zones/DNS unsigned, and it's not clear what is needed to be done
Replies
6
Views
1K
Pacifer
P
D
Issue Plesk DNSSEC Extension isn't compatible with RedHat 9.1
Replies
2
Views
526
David Cottle
D
A
Question Some security questions
Replies
2
Views
165
amba1980
A
Back
Top