Resolved DNSSEC only possible with own nameserver?

[Dukemaster]

Hi at all,
last week I installed PLESK DNSSEC extension on Ubuntu 16.02 with Plesk Onyx 17.5.3 Update #5. Domains and dedicated server by 1and1.
Everything worked fine. But when I make the tests DNSViz | A DNS visualization tool and DNSSEC Analyzer I get error for the domain.com entries.
You can test my domain by yourself if you want.

Questions:
Did I miss something in configuration?
Perhaps creating additional entries in the domain DNS template?
Or in other words:
Is it possible to use DNSSEC with normal providers nameservers and without using own nameserver?
What is my mistake and what is necessary to configure successfully DNSSEC with PLESK ONYX? (If it's needed to manage own nameserver, how to do it?)

In the DNS section of each subscription I created 4 entries for DS with the copied four keys (1+2,1,+2) like you can see in the screens.
First I thought that I missed to to do something, perhaps with the two public keys (question marks on screen 1) or somethinh else. Today I spoke with 1and1 support.
It's not possible to make DS entries in 1and1 Controlpanel for domains. But it's possible to change IPs, nameservers, creating subdomains. He recommended to perhaps running own nameserver configuration.
The normal and default DNS configuration is:

• Domain: domain.com
• IPv6-Adresse (AAAA-Record): 2001:8d8:966:e900::7a:cc95
• Mailserver 1: mx01.kundenserver.de ,11
• Mailserver 2: mx00.kundenserver.de ,10
• IP-Adresse (A-Record): 217.160.92.49
• Nameserver 1: ns65.1und1.de
• Nameserver 2: ns66.1und1.de

Would be so great if you can help me and perhaps others to find a solution for running DNSSEC together with Plesk. Lots of greets.

 

[UFHH01]

Hi Dukemaster,

Is it possible to use DNSSEC with normal providers nameservers and without using own nameserver?

Only, when the providers nameserver supports DNSSEC.

It's not possible to make DS entries in 1and1 Controlpanel for domains. But it's possible to change IPs, nameservers, creating subdomains. He recommended to perhaps running own nameserver configuration.

Correct answer.


If you desire to use your OWN nameserver(s), just change the corresponding nameserver entries for your domain to the desired IP(s) and A - entries at the Control Panel from your domain registrar!

At the moment you use the 1and1 - nameservers, as stated by you:

• Nameserver 1: ns65.1und1.de

• Nameserver 2: ns66.1und1.de

 

[Dukemaster]

Thanks very much @UFHH01
It's only one step away for success.... As you can see I configured like your recommendation in 1and1 Control Panel.
The whole week I had 3 errors in the last box. Now it's only one with the missing DS entry according to com.
Please, what is the last step for the goal?
Could you help me please for the last step.
I didn't configure more than changing the nameserver and their IPs in 1and1, like you can see in the screen.
Lots of greets

 

[UFHH01]

Hi Dukemaster,

first, pls. be informed, that anonymize an IP or an FQDN is pretty useless, due to the fact that these are public informations, which everybody over the whole world is able to investigate.


Pls. note, that you don't know, which nameservers "verisign" uses to verify entries. it can take about 24-48 hours, untill all worldwide nameservers are synced!

 

[Dukemaster]

Yes, to your first sentence, I pretty know this and I already thought weeks ago to never ever waste my time by this senseless anonymization. There is no need for this dumbass actions.
I corrected my first post and gave you the IPs. @UFHH01
Last hours I read the docus about DNS in 1and1 and got the information that they strongly recommend to create the two subdomains ns1(+ns2).domain.tld to create the necessary glue records.
That's what I did. In 1and1 domain panel I created the same two nameserver-subdomains which were already (virtual) in the DNS template of each subscription.

@UFHH01 Perhaps you remember my thread two weeks ago where I wondered about the fact that SSLlabs has different results for .com (A+) and .eu + .de (A) domains when I test them with www..
You told me to go to ssllabs with this issue. Now it comes obvious that this is a Plesk or my providers related issue, maybe, because I have big problems to change the nameservers of my two .de domains and also one .eu domain. 1and1 domain panel won't take the new nameservers. Interesting according to this fact is, that the hostname I created is also an .eu-domain (server.domain.eu) and everything is well with this domain and the new ns-subdomains, except the ssllabs issue with www..
But somewhere in my Plesk seems to be a mistake around the tld (topleveldomain) section.
All tests like nginx -t, apche, SSL, gzip, plesk repair all -n, Webserver Configurations Troubleshooter, Security Advisor, say that the whole system is running well without any problems. It's like bad magic...perhaps because apache is running in default event not prefork...lol...I know it's a bad joke.

 

[Dukemaster]

- Game over -
After calling and writing e-mail to 1and1 Server Support last night. I just received the ultimate answer:
In present it is not possible to use DNSSEC with 1and1 domains.
There is no possibility to make DS record entries in domain panel.
1and1 doesn't know when this feature will be integrated and useable.

In my case I wasted exactly one month hard work on this issue. Every day minimum 6 hours only with reading and trying to run DNSSEC.
All for nothing, except the knowledge I got through hard work.
But for me there is nothing to worry about. But DNSSEC is not so important like for example SSL.
I'm absolutly satisfied and happy with 1and1 since 11 years dedicated server together with PLESK.

Original e-mail from server support team in german [my real name is faked]:

Sehr geehrter Herr Dukemaster,
vielen Dank, dass Sie sich mit Ihrer Frage an uns gewandt haben.
Aktuell unterstützen wir leider noch kein DNSSEC. Daher können Sie die notwendigen Einstellungen in der übergeordneten Zone noch nicht vornehmen.
Mir liegen aktuell keine Daten vor ob und wann wir dieses Feature anbieten werden. Ich muss Sie hier leider um Geduld bitten.
Ich bedauere sehr, dass ich Ihnen dieses Mal keine Lösung anbieten kann.
Mit freundlichen Grüßen

translated to english language:

Dear Mr Dukemaster,
Thank you for contacting us.
We currently do not support DNSSEC. Therefore, you can not make the necessary settings in the parent zone.
We currently have no data if and when we will offer this feature. I have to ask you for patience.
I am very sorry that I can not offer you a solution this time.
Best regards

Lots of greets
@UFHH01 @IgorG @Peter Debik