Issue DNSSEC with Ubuntu Problems

[H.W.B]

Server operating system version

Ubuntu 22.04.3 LTS

Plesk version and microupdate number

Plesk Obsidian Version 18.0.54 Update #4,

Hello,
Since i switched servers from Centos 7 to Ubuntu 22.04LTS i have been problems with DNSSEC.
I installed the DNSSEC App and then signed all domains.
Then updated the Registrat and secondaire DNS servers.
But i got errors that the domains where not resolvable.
When using the DIG command and using that to check what the primary DNS (Plesk) was giving out, i got nop records.

After a lot of testing what caused the problem, i find that the DNSSEC was not working properly. Domain was SIGNED but the Records where not.
When unsigning all domains, i tried to remove the DNSSEC app, but that made every domain unresolvalble!!! and DNSSEC was NOT in use on any domain.
Installing the DNSSEC app, but not using it, resolved the problem.

In the log file are these lines :

/etc/named.conf:981: option 'auto-dnssec' is deprecated
/etc/named.conf:981: 'auto-dnssec' option is deprecated and will be removed in BIND 9.19. Please migrate to dnssec-policy
unable to open '/etc/bind/bind.keys'; using built-in keys instead
generating session key for dynamic DNS
couldn't mkdir '//run': Permission denied
could not create //run/named/session.key
failed to generate session key for dynamic DNS: permission denied
sizing zone task pool based on 48 zones
none:99: 'max-cache-size 90%' - setting to 28833MB (out of 32037MB)
using built-in root key for view _default

I hope someone can help me, or is this a bug??

Henk

 

[scsa20]

If you read through the error it states what the problem is. There is a permission issue since it's not able to create a session.key.

I do not have a ubuntu server spin up at the moment to test it myself but I believe a good work around about to to make sure you have a folder in /var/named/run-root/run/named and name sure the user and group bind is the owners of /var/named/run-root/run

mkdir -p /var/named/run-root/run/named
chown -R bind:bind /var/named/run-root/run

 

[H.W.B]

Hello,
The directories RUN and NAMED already excist.
RUN has a permission of 0755 and owner BIND.
NAMED has a permission op 1755 and owner BIND.
And in NAMED there is a file named.pid, with permission 0644 and owner BIND
Henk

 

[Peter Debik]

The root cause is probably an incorrect configuration of the service bind9 in the file /lib/systemd/system/bind9.service. The solution is to replace the file with a version that is free or errors.

Besides that, please make sure that the directories for session keys exist:
# mkdir -p /var/named/run-root/run/named
# chown -R bind:bind /var/named/run-root/run

After replacing the configuration file with a properly formatted version and ensuring that the directories exist, reload the deamond(s) and start bind9.
# systemctl daemon-reload
# systemctl start bind9

If you cannot identify the wrong configuration, please contact Plesk support https://support.plesk.com, they'll be happy to assist.

 

[H.W.B]

Hello Peter,
The file bind9.service is in the /etc/systemd/system dir. Not in the /lib/
Here is what is in it

[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target
Wants=nss-lookup.target
Before=nss-lookup.target

[Service]
Type=forking
EnvironmentFile=-/etc/default/named
ExecStart=/usr/sbin/named $OPTIONS
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop
Restart=on-failure

[Install]
WantedBy=multi-user.target
Alias=bind9.service

Perhaps you can tell me what is wrong with this file??

Thank you

Henk