• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue DNSSEC creation leaves website Zones/DNS unsigned, and it's not clear what is needed to be done

Ehud

Ehud

Basic Pleskian
Server operating system version
OS version: Ubuntu 22.04 x86_64 apache2 -v Server version: Apache/2.4.57 (Ubuntu) Server built: 2023-04-08T12:56:02 nginx version: nginx/1.22.1 named -v BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:>
Plesk version and microupdate number
Product version: Plesk Obsidian 18.0.52.3 OS version: Ubuntu 22.04 x86_64 Build date: 2023/05/16 12:00 Revision: a3b74dbc9de2e47afd4e532d02fa7759b29d3fa5
Hi,

Plesk offers a feature of DNSSEC to sign the existing DNS records.

When activating it, one gets 4 DS records, and two public keys (DNSKEY).

There are NO instructions what so ever on Plesk , what to do with those. And it's not the process is completed...

According to this erbsite, test can be done via CLI:

Code: 
# whois example.com
   DNSSEC: unsigned

It made sense to publish the 4 NS records, however it was not clear what about the 2 Public Keys...

So we know, that the Plesk process hasn't completed the task, and it's not clear what to do. Plesk guide gives no guidance on this at all...

So, we can move on the Digital Ocean's guide.

Here one is taken through a real journey of configuring the server, including with elements, Plesk hasn't configured, and hasn't instructed the Plesk admins' to do. i.e.,

Code: 
nano /etc/bind/named.conf.options

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

However once getting to the below step:

Code: 
Sign the zone with the dnssec-signzone command.

dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>


dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone


It's not clear what should be done, as this zone, doesn't exist on Plesk, where there are different zones and system in place in the relevant directory:

Code: 
/etc/bind# ls -a
.  ..  bind.keys  db.0  db.127  db.255  db.empty  db.local  db.root  named.conf  named.conf.default-zones  named.conf.local  named.conf.options  rndc.conf  rndc.key  zones.rfc1918


This is the point I have reached. I'm asking for the Plesk help to complete the DNSSEC setting process.
 

Attachments

  • How To Setup DNSSEC on an Authoritative BIND DNS Server _ DigitalOcean.pdf
    1.6 MB · Views: 5
Running the below query to test DNSSEC, I get:

Code: 
# dig DNSKEY example.com. @localhost +multiline
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> DNSKEY example.com. @localhost +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10118
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf9 (good)
;; QUESTION SECTION:
;example.com.          IN DNSKEY

;; AUTHORITY SECTION:
example.com.           900 IN SOA ns-999.awsdns-999.com. awsdns-hostmaster.amazon.com. (
                                1          ; serial
                                7200       ; refresh (2 hours)
                                900        ; retry (15 minutes)
                                1209600    ; expire (2 weeks)
                                86400      ; minimum (1 day)
                                )

;; Query time: 27 msec
;; SERVER: 127.0.0.1#53(localhost) (UDP)
;; WHEN: Mon Jun 05 00:40:24 IDT 2023
;; MSG SIZE  rcvd: 153


May I ask for assistance in interpreting it, and understanding both what fixes may be needed ("communications error to ::1#53: connection refused"), and what should be done in order to complete the DNSSEC setting?
 
As server is configured to server ONLY ipv4, and not ipv6, it seems the above error notification, was most likely expected:

The error message "communications error to ::1#53: connection refused" indicates that there is a problem establishing a connection to the local DNS server running on the IPv6 loopback address ( :: 1 ) at port 53.
Click to expand...
 
Those two are old and should not be used:

dnssec-enable yes;
dnssec-lookaside auto;
 
I can now see the way Plesk tried to implement the DNSSEC on files as:

/var/named/run-root/etc/named.conf

However, according to the 'whois example.com' CLI , it is reported as unsigned, and it's not explained on Plesk what should be done, if at all, with the values presented to the admin, generating DNSSEC.
 
This post may be older already but I observed similar problems signing a dnssec key with plesk on Ubuntu 22.04. What I found out is that plesk generates the keys in /var/named/run-root/var/keys/'DOMAIN'. In my case Plesk left the ownership after key creation at root:root instead of bind:bind. Changing the ownership via cli to bind:bind again solved at least my problem and dnssec started to work. Why the ownership changes to root:root and is left at this I could not figure out yet.
 
You must log in or register to reply here.

Similar threads

P
Bind problems on Plesk panel 11
Replies
4
Views
4K
IgorG
IgorG
Back
Top