• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Plesk Obsidian: dns_dnssec_keylistfromrdataset file(s) missing

J

jiiha

New Pleskian
I'm getting /var/log/messages flooded with this message:

May 27 14:14:08 pleskserver named[2900]: dns_dnssec_keylistfromrdataset: error reading keys/example.com/Kexample.com.+008+55113.private: file not found

And yes, in /var/named/chroot/var/keys/example.com/ that file does not exist. There are three similar .key & .private pairs, all of them with smaller number than the missing ones.

[root@pleskserver]# ls -l /var/named/chroot/var/keys/example.com/
total 24
-rw-r--r--. 1 named root 427 May 17 13:26 Kexample.com.+008+14826.key
-rw-------. 1 named root 1012 May 17 13:26 Kexample.com.+008+14826.private
-rw-r--r--. 1 named root 601 May 17 13:26 Kexample.com.+008+43042.key
-rw-------. 1 named root 1776 May 17 13:26 Kexample.com.+008+43042.private
-rw-r--r--. 1 named root 601 May 17 13:26 Kexample.com.+008+53011.key
-rw-------. 1 named root 1776 May 17 13:26 Kexample.com.+008+53011.private

Any idea how to fix this? It only occurs on one domain.
 
If you want Plesk to generate secure links to protect file transfers with SSL/TLS encryption, select the Generate secure links to files and folders check box.
 
Wir1t said:
If you want Plesk to generate secure links to protect file transfers with SSL/TLS encryption, select the Generate secure links to files and folders check box.
Click to expand...
How are protecting file transfers related to my dnssec problem?
 
The problem in that named serves DNSKEY records with removed keys:


# dig +multi -t DNSKEY n8solutions.host; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +multi -t DNSKEY n8solutions.host
<...>
n8solutions.host. 85323 IN DNSKEY 256 3 14 (
NlXg/6Tus/ob7A1EO1m0XZmb5wwrMZdNox8IBCljK3RL
6rN7DWw33grWtsJWjYsxbpICn9d7hJSP6sJrNDqIjXtZ
fpnUXlwS4MBY/XbqcJmeJriI2WPr4CE2WnzwM/DY
) ; ZSK; alg = ECDSAP384SHA384 ; key id = 22807
n8solutions.host. 85323 IN DNSKEY 257 3 14 (
jKt7mpTwvi0Zl9ZKOhERjw4injdUdPTFwQSA5N6axTRa
yJKUp0AgpJrnISNvTVQg0kwENCVnD8CPqeTmo/s0QHe1
ppXZGllzYqwVL5bXq4cdlhCHSGoBdy3GCdArgiKf
) ; KSK; alg = ECDSAP384SHA384 ; key id = 3131
n8solutions.host. 85323 IN DNSKEY 257 3 14 (
vq8j3ykmiGgLy1erkZJP4bT3/QvqWWop0IqTnC6XdZVw
9g+d71IGSW0emUp8/lYtQ4nASWGf8QoyhcdVKlv5OgzN
qB9EIzZvjD/GKYwATiRgEiAj1fhh4p2C3ymy1Vwl
) ; KSK; alg = ECDSAP384SHA384 ; key id = 20330
n8solutions.host. 85323 IN DNSKEY 257 3 14 (
YqS0iPJmQW3Xor/NQ7gSJZf96z5RUkForFXeLutdfWKJ
Lja5+GjI4WgaOTeSTybhtDIoLms1cMHGSOHiskLBqXbi
agIsp0IvRc9r1Vw8Squ81XTvRcN45tDs4qeGfTbY
) ; KSK; alg = ECDSAP384SHA384 ; key id = 65375
n8solutions.host. 85323 IN DNSKEY 256 3 14 (
brPSmw+PzpEpdFIr7JvkEI8r0gbUf0O3zQ+DFBWtPYII
8Svjl/XlESfpOzy+RS1AFRjlyvh25My3Oyv7mcI2VDDu
ND6SLviSaWvT7HAlvLMksJvxB5+QL0NOhRGXXSMx
) ; ZSK; alg = ECDSAP384SHA384 ; key id = 19969
n8solutions.host. 85323 IN DNSKEY 257 3 14 (
ZWr59LN310D0dpQsKbvp+kc/gMfoSoOyCklQSj44Vwbn
uy3dAdym7Xcsu/peCYXd+2/THYa8o7yjsmK9B8weDgg9
zfzdgScECbUnt5uEoDqQe32S4Hpj4jPBT/7zPRCG
) ; KSK; alg = ECDSAP384SHA384 ; key id = 51954


(note key ids 22807, 3131 and 51954)


Looks like they are left in the signed zone file:

# named-checkzone -D -f raw -o - n8solutions.host /var/named/chroot/var/n8solutions.host.signed | grep jKt7mpTwvi0Zl9ZKOhERjw4injdUdPTFwQSA5N6axTRa
zone n8solutions.host/IN: loaded serial 2020060814 (DNSSEC signed)
n8solutions.host. 86400 IN DNSKEY 257 3 14 jKt7mpTwvi0Zl9ZKOhERjw4injdUdPTFwQSA5N6axTRayJKUp0AgpJrn ISNvTVQg0kwENCVnD8CPqeTmo/s0QHe1ppXZGllzYqwVL5bXq4cdlhCH SGoBdy3GCdArgiKf
#named-checkzone -D -f raw -o - n8solutions.host /var/named/chroot/var/n8solutions.host.signed | grep 'NlXg/6Tus/ob7A1EO1m0XZmb5wwrMZdNox8IBCljK3RL'
zone n8solutions.host/IN: loaded serial 2020060814 (DNSSEC signed)
n8solutions.host. 86400 IN DNSKEY 256 3 14 NlXg/6Tus/ob7A1EO1m0XZmb5wwrMZdNox8IBCljK3RL6rN7DWw33grW tsJWjYsxbpICn9d7hJSP6sJrNDqIjXtZfpnUXlwS4MBY/XbqcJmeJriI 2WPr4CE2WnzwM/DY
# named-checkzone -D -f raw -o - n8solutions.host /var/named/chroot/var/n8solutions.host.signed | grep 'ZWr59LN310D0dpQsKbvp+kc/gMfoSoOyCklQSj44Vwbn'
zone n8solutions.host/IN: loaded serial 2020060814 (DNSSEC signed)
n8solutions.host. 86400 IN DNSKEY 257 3 14 ZWr59LN310D0dpQsKbvp+kc/gMfoSoOyCklQSj44Vwbnuy3dAdym7Xcs u/peCYXd+2/THYa8o7yjsmK9B8weDgg9zfzdgScECbUnt5uEoDqQe32S 4Hpj4jPBT/7zPRCG

I would suggest to delete the singed zone files and restart bind so that it generates them again. After that only DNSKEY records for the existing keys should be generated:

# mv /var/named/chroot/var/n8solutions.host.signed.{,.bak}
# mv /var/named/chroot/var/n8solutions.host.signed.jnl{,.bak}
# service named-chroot restart
 
You must log in or register to reply here.

Similar threads

andreios
Resolved Problems with DNSSEC with some domains.
Replies
4
Views
1K
andreios
andreios
brother4
Issue Intermittent 503 Errors on Plesk Obsidian (Ubuntu 22.04 LTS) with PHP-FPM Crashes - Seeking Advice
Replies
3
Views
478
brother4
brother4
nisamudeen97
Issue [email protected] failed status Ionos Ubuntu 22 Cloud
Replies
2
Views
1K
nisamudeen97
nisamudeen97
G
Question Unable to send emails via phpmailler (codeigniter) smtp to hotmail.
Replies
2
Views
3K
Grepher76
G
W
Issue Nextcloud (Extension) Upgrade Error
Replies
6
Views
5K
dwuest
D
Back
Top