dnssec-enable + filter-aaaa-on-v4 yes; used in /etc/bind/named.conf.options while a new string should be used: dnssec-validation yes;

[Ehud]

Username:

TITLE

dnssec-enable + filter-aaaa-on-v4 yes; used in /etc/bind/named.conf.options while a new string should be used: dnssec-validation yes;

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.52.3
OS version: Ubuntu 22.04 x86_64
Build date: 2023/05/16 12:00
apache2 -v
Server version: Apache/2.4.57 (Ubuntu)
Server built: 2023-04-08T12:56:02

nginx version: nginx/1.22.1

BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:>
(failing...)

PROBLEM DESCRIPTION

The /etc/bind/named.conf.options file, seems to contain a phrase not used any more in BIND causing named not to start.


dnssec-enable

should most liely be:
dnssec-validation yes;


filter-aaaa-on-v4 yes;

Filter AAAA option in BIND 9

When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions. This filtering does not affect the recursive queries made by the server (if any) as a result of...

kb.isc.org

options { minimal-responses yes; edns-udp-size 512; };



the include was for a missing file
include "/etc/named-user-options.conf";


I have generated it, and placed in it:

options {
minimal-responses yes;
edns-udp-size 512;
};


How come I had all of this OLD configuration?

STEPS TO REPRODUCE

failed to start the service
failed to gain access to DNS port 53

ACTUAL RESULT

working to fix in progress

EXPECTED RESULT

a fix

ANY ADDITIONAL INFORMATION

please let me know of your opinion.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Help with sorting out

 

[Peter Debik]

Please provide clear steps to reproduce the issue.

 

[Ehud]

The bind service status was failed.

I had the data provided in the Plesk server, coming from Plesk. Those values were causing the BIND service not to start.

My Plesk server was installed on 2018. Possibly BIND was never activated... And remained for some reason on an old version.

As you could see from the above report, the configuration files, contained various configuration, which caused the server not to start. Among them:

1) An Include file which was not there...

2) I have added the content to the include file:
options {
minimal-responses yes;
edns-udp-size 512;
};

3) dnssec-enable was on server, although it's (no longer?) not supported

4) filter-aaaa-on-v4 yes; was on server, although it's (no longer?) not supported

 

[Ehud]

The file missing was:

/etc/named-user-options.conf

That file is called as "include" in the service main configuration file. I have seen it's a "known" error, as there is a Plesk KB article for it. This was not considered a BUG although it should.

 

[Ehud]

Peter,

Can you please escelate to the Plesk R&D developers?

 

[scsa20]

I don't know how your original deployment is like but in my test ubuntu 22 instance this is the configuration for /etc/bind/named.conf.option

$ cat /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { any; };
};

Contents of /etc/named.conf

$ cat /etc/named.conf
// $Id: named.conf,v 1.1.1.1 2001/10/15 07:44:36 kap Exp $

// -- THE FOLLOWING LINES WERE GENERATED BY PLESK. IF YOU MODIFY THEM, THEY WILL BE OVERWRITTEN WHEN THESE SETTINGS ARE MANAGED IN PLESK UI. --
options {
        allow-recursion {
                localnets;
        };
        include "/etc/named-user-options.conf";
        directory "/var";
        pid-file "/var/run/named/named.pid";
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "doesntMatterButYankedAnywaysSecret=";
};

controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "localhost.rev";
};
// -- END OF LINES GENERATED BY PLESK. --


// -- PLEASE ADD YOUR CUSTOM DIRECTIVES BELOW THIS LINE. --
// ...
// -- END OF YOUR CUSTOM DIRECTIVES. --


// -- ALL LINES BELOW WERE GENERATED BY PLESK. IF YOU MODIFY THEM, THEY WILL BE OVERWRITTEN WHEN THESE SETTINGS ARE MANAGED IN PLESK UI. --

zone "blah.test" {
        type master;
        file "blah.test";
        allow-transfer {
                doesntMatterButYankedAnywaysIP;
                common-allow-transfer;
        };
};
acl common-allow-transfer {
        none;
};

I do not have /etc/named-user-options.conf on both my test and production server but it doesn't matter anyways since it's only to include it if there's anything added, if there's nothing to add then it doesn't matter and would be skipped.

Also, if you've upgraded your Ubuntu instance, chances are your config files wouldn't be touched and your DNS configs wouldn't be touched either if you've never modified anything.

Also, have you tried doing a repair on the DNS? The steps to do so can be found athttps://support.plesk.com/hc/en-us/articles/12377867916439-How-to-rebuild-reconfigure-DNS-configuration-file-and-zone-files-of-domains

 

[Ehud]

Solution was to set the parameters as described in the beginning of this thread. Otherwise, service wont' work.