• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Correct configuration of own DNS servers

Dukemaster

Regular Pleskian
Hi @ all,
since last week I use own DNS servers with PLESK as primary name server for each domain to use the DNSSEC extension (additional licence key, bundled).

1. Is it necessary to create the name servers subdomains in my providers Control Panel, e.g. ns1.example.com, ns2.example.com?
2. Is it necessary to also create the name servers as subdomains in PLESK Panel, e.g. ns1.example.com, ns2.example.com or (what I don't think) even as regular subscription?
3. I have a second IPv4 which I formerly used as didicated for one other domain. Yesterday I changed this IP to shared. Perhaps to make the whole DNS configuration in a better way. But how to do this, I don't know.

Lots of greets
 
Last edited:
Hello there @Dukemaster,

You do not need to create the actual sub domains but it also doesn't hurt to create 2 A records for ns1 and ns2 so it can be routed properly.

Here's what I did:

Create an A record for ns1 pointing to the first IP address that you wanting to use (this IP address but be associated with your plesk or DNS server)
Create an A record for ns2 pointing to the second IP address that you wanting to use (this IP address but be associated with your plesk or DNS server)
Create an NS record pointing to ns1.arox.eu (this step is more likely not needed but I did it anyways)
Create an NS record pointing to ns2.arox.eu (again, more likely not needed but did it anyways)

Once this is set, log into your registrar and create 2 glue records, one for ns1.arox.eu pointing to the same IP address that you set for your first A record and do the same for ns2.arox.eu. Once the glue records has been created you can then update the name server on the registrar to ns1 and ns2.arox.eu respectfully.

Like I said, that's basically how I did mine (using your domain as the example) and it worked, just told my clients to update their name servers to point to my ns and it routed just fine.
 
Hi @scsa20 first thank you very much for your detailed good advice and help.
But the problem is, that exactly your configuration was already made automatically by PLESK.
For .com and .eu domains I can change the nameservers in 1and1 provider panel to ns1.example.com and ns2.example.com. The A and AAAA records I've already set to standard IPv4 and IPv6. It works. One domain example2.com I gave my second IPv4. That's all.
The DNS Configuration like seen in the screens and written in the bottom is working, but in DNSSEC I have the corresponding .eu to A/AAAA problem
I can only guess that is has to do with the secondary nameserver. ns1 and ns2 have the same IP's (v4 and v6) perhaps this is the problem.
In my opinion it's only a little mistake in configuration, would be great if You or someone else have a example or inspiration what is wrong.

But the two .de domains. I always get the output "false DNS configuration" when I change the nameserver to for example to ns1.and ns2.example.de. Domain panel switches back to 1and1 standard configuration.
But when I use as secondary nameserver 1and1 then automatically a slave nameserver by 1and1 (slv1.example.de) will be used/created.
And I get the output on vid that there are glue records but "No DS records found for example.com in the com zone" and
example.com:
--- A=IPv4 + AAAA=IPv6
--- Nameserver: ns1.example.com (same IPv4 + IPv6) + ns2.example.com (same IPv4 and IPv6)
--- Subdomains: (only in provider domain panel, not PLESK) ns1.example.com (same IPs like everywhere) - ns2.example.com (same IPs like everywhere)
 
Last edited:
OK, you didn't mention anything about using DNSSEC, just how to setup DNS :p

Anyways, since you're using the DNS server that's part of your own server, make sure you have the DNSSEC extension installed, go to your domain and go into DNSSEC (this needs to be done from your server not from your registrar if you were trying set up DNSSEC from the registrar) and click on "Sign the DNS Zone"

Once you click that, just follow the instructions to sign the zone, it will then give you 4 DS records that you need to manually add, so open up the DNS section of the domain within plesk and add in the 4 DS entries that it gives you and you'll be all set.
 
Thanks for help @scsa20 .
Here we are. Last week I did exactly this. First with providers nameservers, I had 3 issues (red points) on DNSSEC Analyzer
But from the day I used own DNS servers two errors were elimated. Photo3 and Photo24
Now I have only one error: No DS records found for example.com in the com zone.
You can see it in the screens. On DNSViz | A DNS visualization tool it is decribed in a more detailed way.
Which leads back to the beginning:
Something seems to be wrong with nameserver configuration around none corresponding between parent and child zone.

@UFHH01 gave a hint about creating ptr entries. I wish he would tell me how to do this. In present time there seems no need for these entries in standard DNS-config with providers nameservers. I didn't have PTR entries since a long time.
If needed I would need someone who tells me exactly how to set them (also where: Plesk +- providers panel).
 
Last edited:
OK, looking at the error more closely, it's talking about your Glue Record for ns2 not having an IPv4 Address and your glue record for ns1 doesn't have an IPv6 record even though ns1 has an IPv4 record and the ns2 has an IPv6 record. I need to see how your DNS itself is setup, but you basically need to match your glue records (what's configured on 1and1) with how you've got your DNS A and AAAA records configured. If the glue records isn't matching with what you've got configured for your A records for your ns1 and ns2 then you're going to get that warning.
 
Oh and almost forgot. Make sure you add the DS record with your registrar too, so it makes the DNSSEC-Debugger happy that everything is signed (it should also make dnsviz showing everything else is secured).
 
Back
Top