Resolved Plesk DNS updates can take over 2 minutes...

[Walter]

Anytime I make record changes to DNS in Plesk, the change will take over 2 minutes and then my secondary service is not able to communicate with my Plesk instance. This is not behavior I'm used to as in the past, as soon as I make DNS changes, I'm able to force an update with secondary service provider.

I have a single Plesk Onyx server that is also the master Authoritative DNS server.
I have a secondary DNS service setup with dnsmadeeasy.com.
Vanity DNS names are established with dnsmadeeasy.com and IPs provided by them

My registrar has:
ns1.domain.tld IPofPlesk
ns2.domain.tld IPofPlesk
ns5.domain.tld IP1of2ndaryDNS
ns6.domain.tld IP2of2ndaryDNS

Plesk has:
A record ns1.domain.tld IPofPlesk
A record ns2.domain.tld IPofPlesk (SOA)
A record ns5.domain.tld IP1of2ndaryDNS
A record ns6.domain.tld IP2of2ndaryDNS
NS record domain.tld ns1.domain.tld
NS record domain.tld ns2.domain.tld
NS record domain.tld ns5.domain.tld
NS record domain.tld ns6.domain.tld

I have the AXFR IP addresses entered into Plesk of my secondary DNS service and they are able to receive transfers.
When no changes are made, things seem to run fine.

I also have dkim and DNSSEC setup. DNSSEC according to verizon's test page and some others shows my setup is correct. I have the proper DS records setup with my registrar. My secondary DNS provider supports DNSSEC as well.

 

[Walter]

Additional information... If I delete the primary domain, and re-create it, things work super fast and DNS updates work fine. Comment, DNS updates to any domain on my Plesk instance. Before deleting the primary domain, any record change to any domain on Plesk took almost 2 minutes. plesk repair dns does not resolve. There are times where a local dig against plesk external or localhost ip will not resolve established A records.
cat /var/named/run-root/var/domain.tld looks good... the entries here match with Plesk DB

The only thing sure to temporarily resolve the issue is to delete the domain and recreate it.
With Plesk support I have gone through each change after re-creating domain name as well as step by step remove each change without deleting the domain. And of course I also removed secondary DNS service for testing and allowed DNS to propagate and still had the issue.

There is an active ticket with Plesk and they are scratching their heads. It is with their development team. Has anyone else had this same issue?

 

[Bitpalast]

I do not have the solution on this, but I am interested in the case, because a similar issue exists for Plesk 17.0 and newer with the creation of domains and subdomains. When a host has a certain number of domains, say 500, and you add another one, storing the new data set and restarting services like web server and PHP FPM takes a very long time (minutes). Adding a second, third, fourth domain afterwards does not cause any wait, because then the web server restart interval is blocking a further restart/reload. You may want to add this information to your existing support ticket. Maybe they can link the cases and figure out why it is happening.

 

[Walter]

I have 10 domains but add some aliases for my domains. It is used a workaround for mail to create a "mail" alias so I could use LE certificate. I would delete the A record on the primary domain and then create a "mail" alias for that domain. Update primary domain LE with the alias domain.

The problem for us is that the problem though exists doesn't readily show a problem in the debug logs that we've collected. Additionally we cannot seem to trigger the error as removing the domain and re-enabling temporarily resolves but we don't know what triggers it or when the problems resumes.

I built a test server with only one domain and somehow the issue was on that server too. My thoughts were wondering if there was some DNS loop or attempting to resolve that exceeds a timeout value.

 

[Walter]

/var/log/syslog
May 6 20:22:46 bh01 systemd[1]: Reloading BIND Domain Name Server.
May 6 20:22:46 bh01 rndc[26438]: WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)
May 6 20:24:16 bh01 systemd[1]: bind9.service: Reload operation timed out. Killing reload process.
May 6 20:24:16 bh01 systemd[1]: Reload failed for BIND Domain Name Server.

However on GUI, it shows changes were successful.

 

[AYamshanov]

Hi,

Could you show an output of the command:

• plesk version
• systemctl | grep named

Also, I found an old post with the like error: WARNING: key file exists, but using default configuration file but I'm not sure.

 

[Walter]

Come to find out, the issue was entropy... here is an excerpt from Plesk Development Support that fixed the issue.
This had to do with DNSSEC keys that were created during implementation of DNSSEC.

There is not enough entropy, bind will hang on /dev/random stage.

We see two possible solutions:

- install packet 'haveged' (it should add entropy)

- add the following record into /etc/named.conf:
options {
allow-recursion {
localhost;
};
random-device "/dev/urandom";

In this case bind is using urandom (Pseudo-random events and as a result the system is not waiting for true-random events).
Plesk applied the second solution to my server which immediately resolved the issue.