Issue Plesk Obsidian: dns_dnssec_keylistfromrdataset file(s) missing

[jiiha]

I'm getting /var/log/messages flooded with this message:

May 27 14:14:08 pleskserver named[2900]: dns_dnssec_keylistfromrdataset: error reading keys/example.com/Kexample.com.+008+55113.private: file not found

And yes, in /var/named/chroot/var/keys/example.com/ that file does not exist. There are three similar .key & .private pairs, all of them with smaller number than the missing ones.

[root@pleskserver]# ls -l /var/named/chroot/var/keys/example.com/
total 24
-rw-r--r--. 1 named root 427 May 17 13:26 Kexample.com.+008+14826.key
-rw-------. 1 named root 1012 May 17 13:26 Kexample.com.+008+14826.private
-rw-r--r--. 1 named root 601 May 17 13:26 Kexample.com.+008+43042.key
-rw-------. 1 named root 1776 May 17 13:26 Kexample.com.+008+43042.private
-rw-r--r--. 1 named root 601 May 17 13:26 Kexample.com.+008+53011.key
-rw-------. 1 named root 1776 May 17 13:26 Kexample.com.+008+53011.private

Any idea how to fix this? It only occurs on one domain.

 

[Wir1t]

If you want Plesk to generate secure links to protect file transfers with SSL/TLS encryption, select the Generate secure links to files and folders check box.

 

[jiiha]

If you want Plesk to generate secure links to protect file transfers with SSL/TLS encryption, select the Generate secure links to files and folders check box.

How are protecting file transfers related to my dnssec problem?

 

[IgorG]

The problem in that named serves DNSKEY records with removed keys:

# dig +multi -t DNSKEY n8solutions.host; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +multi -t DNSKEY n8solutions.host

<...>

n8solutions.host. 85323 IN DNSKEY 256 3 14 (

NlXg/6Tus/ob7A1EO1m0XZmb5wwrMZdNox8IBCljK3RL

6rN7DWw33grWtsJWjYsxbpICn9d7hJSP6sJrNDqIjXtZ

fpnUXlwS4MBY/XbqcJmeJriI2WPr4CE2WnzwM/DY

) ; ZSK; alg = ECDSAP384SHA384 ; key id = 22807

n8solutions.host. 85323 IN DNSKEY 257 3 14 (

jKt7mpTwvi0Zl9ZKOhERjw4injdUdPTFwQSA5N6axTRa

yJKUp0AgpJrnISNvTVQg0kwENCVnD8CPqeTmo/s0QHe1

ppXZGllzYqwVL5bXq4cdlhCHSGoBdy3GCdArgiKf

) ; KSK; alg = ECDSAP384SHA384 ; key id = 3131

n8solutions.host. 85323 IN DNSKEY 257 3 14 (

vq8j3ykmiGgLy1erkZJP4bT3/QvqWWop0IqTnC6XdZVw

9g+d71IGSW0emUp8/lYtQ4nASWGf8QoyhcdVKlv5OgzN

qB9EIzZvjD/GKYwATiRgEiAj1fhh4p2C3ymy1Vwl

) ; KSK; alg = ECDSAP384SHA384 ; key id = 20330

n8solutions.host. 85323 IN DNSKEY 257 3 14 (

YqS0iPJmQW3Xor/NQ7gSJZf96z5RUkForFXeLutdfWKJ

Lja5+GjI4WgaOTeSTybhtDIoLms1cMHGSOHiskLBqXbi

agIsp0IvRc9r1Vw8Squ81XTvRcN45tDs4qeGfTbY

) ; KSK; alg = ECDSAP384SHA384 ; key id = 65375

n8solutions.host. 85323 IN DNSKEY 256 3 14 (

brPSmw+PzpEpdFIr7JvkEI8r0gbUf0O3zQ+DFBWtPYII

8Svjl/XlESfpOzy+RS1AFRjlyvh25My3Oyv7mcI2VDDu

ND6SLviSaWvT7HAlvLMksJvxB5+QL0NOhRGXXSMx

) ; ZSK; alg = ECDSAP384SHA384 ; key id = 19969

n8solutions.host. 85323 IN DNSKEY 257 3 14 (

ZWr59LN310D0dpQsKbvp+kc/gMfoSoOyCklQSj44Vwbn

uy3dAdym7Xcsu/peCYXd+2/THYa8o7yjsmK9B8weDgg9

zfzdgScECbUnt5uEoDqQe32S4Hpj4jPBT/7zPRCG

) ; KSK; alg = ECDSAP384SHA384 ; key id = 51954

(note key ids 22807, 3131 and 51954)


Looks like they are left in the signed zone file:

# named-checkzone -D -f raw -o - n8solutions.host /var/named/chroot/var/n8solutions.host.signed | grep jKt7mpTwvi0Zl9ZKOhERjw4injdUdPTFwQSA5N6axTRa

zone n8solutions.host/IN: loaded serial 2020060814 (DNSSEC signed)

n8solutions.host. 86400 IN DNSKEY 257 3 14 jKt7mpTwvi0Zl9ZKOhERjw4injdUdPTFwQSA5N6axTRayJKUp0AgpJrn ISNvTVQg0kwENCVnD8CPqeTmo/s0QHe1ppXZGllzYqwVL5bXq4cdlhCH SGoBdy3GCdArgiKf

#named-checkzone -D -f raw -o - n8solutions.host /var/named/chroot/var/n8solutions.host.signed | grep 'NlXg/6Tus/ob7A1EO1m0XZmb5wwrMZdNox8IBCljK3RL'

zone n8solutions.host/IN: loaded serial 2020060814 (DNSSEC signed)

n8solutions.host. 86400 IN DNSKEY 256 3 14 NlXg/6Tus/ob7A1EO1m0XZmb5wwrMZdNox8IBCljK3RL6rN7DWw33grW tsJWjYsxbpICn9d7hJSP6sJrNDqIjXtZfpnUXlwS4MBY/XbqcJmeJriI 2WPr4CE2WnzwM/DY

# named-checkzone -D -f raw -o - n8solutions.host /var/named/chroot/var/n8solutions.host.signed | grep 'ZWr59LN310D0dpQsKbvp+kc/gMfoSoOyCklQSj44Vwbn'

zone n8solutions.host/IN: loaded serial 2020060814 (DNSSEC signed)

n8solutions.host. 86400 IN DNSKEY 257 3 14 ZWr59LN310D0dpQsKbvp+kc/gMfoSoOyCklQSj44Vwbnuy3dAdym7Xcs u/peCYXd+2/THYa8o7yjsmK9B8weDgg9zfzdgScECbUnt5uEoDqQe32S 4Hpj4jPBT/7zPRCG

I would suggest to delete the singed zone files and restart bind so that it generates them again. After that only DNSKEY records for the existing keys should be generated:

# mv /var/named/chroot/var/n8solutions.host.signed.{,.bak}

# mv /var/named/chroot/var/n8solutions.host.signed.jnl{,.bak}

# service named-chroot restart