• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue DNSSEC with Ubuntu Problems

H.W.B

H.W.B

Regular Pleskian
Server operating system version
Ubuntu 22.04.3 LTS
Plesk version and microupdate number
Plesk Obsidian Version 18.0.54 Update #4,
Hello,
Since i switched servers from Centos 7 to Ubuntu 22.04LTS i have been problems with DNSSEC.
I installed the DNSSEC App and then signed all domains.
Then updated the Registrat and secondaire DNS servers.
But i got errors that the domains where not resolvable.
When using the DIG command and using that to check what the primary DNS (Plesk) was giving out, i got nop records.

After a lot of testing what caused the problem, i find that the DNSSEC was not working properly. Domain was SIGNED but the Records where not.
When unsigning all domains, i tried to remove the DNSSEC app, but that made every domain unresolvalble!!! and DNSSEC was NOT in use on any domain.
Installing the DNSSEC app, but not using it, resolved the problem.

In the log file are these lines :

/etc/named.conf:981: option 'auto-dnssec' is deprecated
/etc/named.conf:981: 'auto-dnssec' option is deprecated and will be removed in BIND 9.19. Please migrate to dnssec-policy
unable to open '/etc/bind/bind.keys'; using built-in keys instead
generating session key for dynamic DNS
couldn't mkdir '//run': Permission denied
could not create //run/named/session.key
failed to generate session key for dynamic DNS: permission denied
sizing zone task pool based on 48 zones
none:99: 'max-cache-size 90%' - setting to 28833MB (out of 32037MB)
using built-in root key for view _default

I hope someone can help me, or is this a bug??

Henk
 
If you read through the error it states what the problem is. There is a permission issue since it's not able to create a session.key.

I do not have a ubuntu server spin up at the moment to test it myself but I believe a good work around about to to make sure you have a folder in /var/named/run-root/run/named and name sure the user and group bind is the owners of /var/named/run-root/run
Bash: 
mkdir -p /var/named/run-root/run/named
chown -R bind:bind /var/named/run-root/run
 
Hello,
The directories RUN and NAMED already excist.
RUN has a permission of 0755 and owner BIND.
NAMED has a permission op 1755 and owner BIND.
And in NAMED there is a file named.pid, with permission 0644 and owner BIND
Henk
 
The root cause is probably an incorrect configuration of the service bind9 in the file /lib/systemd/system/bind9.service. The solution is to replace the file with a version that is free or errors.

Besides that, please make sure that the directories for session keys exist:
# mkdir -p /var/named/run-root/run/named
# chown -R bind:bind /var/named/run-root/run

After replacing the configuration file with a properly formatted version and ensuring that the directories exist, reload the deamond(s) and start bind9.
# systemctl daemon-reload
# systemctl start bind9

If you cannot identify the wrong configuration, please contact Plesk support https://support.plesk.com, they'll be happy to assist.
 
Hello Peter,
The file bind9.service is in the /etc/systemd/system dir. Not in the /lib/
Here is what is in it

[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target
Wants=nss-lookup.target
Before=nss-lookup.target

[Service]
Type=forking
EnvironmentFile=-/etc/default/named
ExecStart=/usr/sbin/named $OPTIONS
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop
Restart=on-failure

[Install]
WantedBy=multi-user.target
Alias=bind9.service

Perhaps you can tell me what is wrong with this file??

Thank you

Henk
 
H.W.B said:
In the log file are these lines :

/etc/named.conf:981: option 'auto-dnssec' is deprecated
/etc/named.conf:981: 'auto-dnssec' option is deprecated and will be removed in BIND 9.19. Please migrate to dnssec-policy
Click to expand...

@IgorG I observe these warning on my server as well. They are generated by those lines of /var/named/run-root/etc/named.conf which are auto-generated by Plesk. So I assume someone should fix this at your side at some point.
(As a side note: What is always confusing with regard to bind9 and Plesk is that the config files only reside in /var/named/run-root but not in /etc. Common practice for chrooted applications is to copy relevant files (e.g., in /etc) to the chroot on every reload/restart. For bind this would also make it easier to run rndc commands (where rndc always complains regarding the key to be used and where rndc seems to check the actual /etc directory).
 
We are aware of the deprecation warnings, but since it's they are warnings and don't cause any functional issues we haven't prioritized adapting the auto-dnssec configuration yet. But know it's on our todo list.
 
You must log in or register to reply here.

Similar threads

andreios
Resolved Problems with DNSSEC with some domains.
Replies
4
Views
1K
andreios
andreios
Ehud
Issue DNSSEC creation leaves website Zones/DNS unsigned, and it's not clear what is needed to be done
Replies
6
Views
2K
Pacifer
P
webdig
Question Multiple servers in same nameserver
Replies
4
Views
744
Tobias Sorensson
T
Ehud
dnssec-enable + filter-aaaa-on-v4 yes; used in /etc/bind/named.conf.options while a new string should be used: dnssec-validation yes;
Replies
6
Views
3K
Ehud
Ehud
L
Question Bind9 on ubuntu 14
Replies
0
Views
655
lakhwaraa
L
Back
Top