Issue Manuel upgrade to Debian 13 - BIND stopped working

[superfun2k23]

Server operating system version

Debian 13.2

Plesk version and microupdate number

18.0.74

Hi,

I upgraded to Debian 13 few days ago, after 18.0.74 was released and all was working.
But today I noticed, DNS Service isn't active.

But it can't get started, the only Error I get is:

BIND Domain Name Server

named.service

Loaded: loaded (/usr/lib/systemd/system/named

Drop-In:

.service; enabled; preset:

/usr/lib/systemd/system/named.service.d

Lplesk.conf

enabled)

Active: failed (Result: exit-code) since Sat 2025-11-15 23:27:55 CET; 4min 27s

Duration: 69ms

Invocation: 8fb7199a75f34daebd3891951db64462

Docs: man:named(8)

Main PID: 14659 (code=exited, status=1/FAILURE)

named.service: Scheduled restart job, restart counter is at 5.

systemd[1]: named.service: Start request repeated too quickly.

systemd[1]: named.service: Failed with result 'exit-code'.

 

[scsa20]

What does journalctl -u named.service show?

 

[superfun2k23]

I got it.. every Domain with DNSSEC enabled get a error:

"dnssec-policy doesn't match dnssec-policy config"

What can I do? Re-enable DNSSEC and repair DNS dies not fix it

 

[Sebahat.hadzhi]

@superfun2k23 , can you please run the following command and confirm if it returns any errors/warnings:

named-checkconf

 

[superfun2k23]

named-checkconf shows absolute nothing, also no error

but the dnssec-policy error still existe in Journal.

For all 3 dnssec-enabled domains and I believe it prevents dns from starting

"dnssec-policy 'domain123.de' has no matching dnssec-policy"

Here the config in /etc/named.conf:

zone "domain123.de" {
type master;
file "domain123.de";
key-directory "keys/domain123.de";
inline-signing yes;
dnssec-policy "domain123.de";
allow-transfer {

All settings standard after plesk 18.0.74 upgrade

 

[superfun2k23]

Soo.. after editing the line

dnssec-policy "domain123.de"; to
dnssec-policy default;

I was able to start dns service again, but this won't last long I think, because the file is auto generated by plesk

 

[Hangover2]

@superfun2k23 Actually, Debian 13 is only supported for new installations of Plesk. Manually upgrading Debian 12 to Debian 13 on a server with an active Plesk instance is not supported yet. – How to perform dist-upgrade procedure on Linux server with Plesk?

 

[scsa20]

@superfun2k23 Actually, Debian 13 is only supported for new installations of Plesk. Manually upgrading Debian 12 to Debian 13 on a server with an active Plesk instance is not supported yet. – How to perform dist-upgrade procedure on Linux server with Plesk?

I mean technically speaking as long as Plesk has support for the distro you could still upgrade the distro to it regardless. Plus even if Plesk did had support the upgrade you could still run into issues since the upgrade is highly dependent with how the environment is setup. If it's a simple environment with nothing customized using just standard Plesk installed then the upgrade should go through just fine without issues, if there's anything crazy with the environment then you could run into issues. For that reason is why I tend to lean on the side of caution and always spin up a new VM of the latest distro and do a migration.

Of course not everyone is able to do that and upgrading might be the only option and if that's the case taking a snapshot before the upgrade and maybe even doing it in a test first is preferred before actually completing the upgrade process.

In either case...

Soo.. after editing the line

dnssec-policy "domain123.de"; to
dnssec-policy default;

I was able to start dns service again, but this won't last long I think, because the file is auto generated by plesk

If it works with you edit the lines, does that mean you had DNSSEC configured on the domain before? What happens if you unsign then resign using the existing keys (or issue new keys)? Does it still work?

 

[superfun2k23]

I'm going to install a new server based in Debian 13 and see if it fixes the issue.
Even unsign DNSSEC does not fix it, because IT re-generate the file and bind can not start

 

[superfun2k23]

Reinstalled with fresh Debian 13 and restored backup, Error still exists + Apache2 through lots of Errors, so no it was not the manual upgrade that caused the error

 

[Hangover2]

I am still not sure if this approach is possible. As far as I know, only the following upgrade path is currently fully supported:

• Install Plesk on a fresh Debian 13 instance
• Install the Plesk Migrator extension on both the old Debian 12 instance and the new Debian 13 instance
• Migrate all customers via the Migrator extension

Did you use a backup from an already upgraded system, or from an untouched Debian 12 installation?

Maybe @Sebahat.hadzhi can advise on the currently supported upgrade options for Debian 13.

 

[superfun2k23]

I don't have any Debian 12 machine left running yet. Only thing possible is, setting up a fresh Debian 13 System and migrate from my actual System, which ist restored out of old upgraded system.
Maybe this will fix issues, that were imported with the Backup?

 

[Hangover2]

@superfun2k23 We will never know, as you no longer have a backup of the Debian 12 + Plesk server from before the upgrade. If the issue comes from this not-yet-supported upgrade path, you can only reach out to the Plesk support team to see if they can fix your installation. However, I am not sure whether they will provide free help if the upgrade was done outside their recommendations.

 

[scsa20]

Even unsign DNSSEC does not fix it, because IT re-generate the file and bind can not start

But did you then resigned the domain?

If you're still having issues after restoring from a backup on a fresh Debian 13 (although I think doing that wasn't fully necessary since it did worked for awhile then stopped), you'd probably be better off opening a ticket with Plesk support so they can take a look with you. Refer to https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk to find out how to get support from Plesk directly.

 

[superfun2k23]

Problem still exists, even after Migration from the failing server to a complete new machine.
I think it can't be some conflicting file, more like error with bind itself, because plesk DNS repair in all scenarios mention, DNS hast no problems found, but it can't get startet because of mismatch in dnssec-policies

 

[superfun2k23]

Seems there is some serious problem with the Troubleshooting of this dnssec-policy Problem occured.. 2 of 3 domains were resolved, but DENIC states Errors with Nameserver, but 3rd Domain ist not resolved, I checked Nameserver in plesk and registrar, all fine but no success :/

Seems my DNS is messed up, have to figure out whats the problem

 

[Sebahat.hadzhi]

Maybe @Sebahat.hadzhi can advise on the currently supported upgrade options for Debian 13.

@Hangover2 is absolutely right, manual OS upgrades haven't been tested by our team yet and therefore are not officially supported. Currently, the recommended path is to migrate to a fresh Debian 13 server.

Regarding the experienced issue, I believe the same could be related to the fact that auto-dnssec was replaced by dnssec-policy since Bind 9.18. However, I also think it will be best for our support team to take a further look on that server.

 

[superfun2k23]

the actual solution is, I deleted named.conf in /etc/ complete and now all is working

Seems there are bugs with the situation, auto-dnssec was replaced by dnssec-policy since Bind 9.18.

 

[groove21]

Is there already a reply from support regarding this?
Did you face any more problems while upgrading?

 

[superfun2k23]

Is there already a reply from support regarding this?
Did you face any more problems while upgrading?

I fixed it on my own, Just deleted /etc/named.conf and all is working..
Don't know why this file is created, when all is working without it also just fine
re-install of fresh Debian 13 was not necessary, but to late for me..
Manual upgrading using any HowTo for "Debian 12 to 13 upgrade" would work, since Plesk is compatible now.