Resolved Problems with DNSSEC with some domains.

[andreios]

Server operating system version

Ubuntu 22.04

Plesk version and microupdate number

18.0.59 Update #2

I have some domains on my server where DNSSEC works flawlessly, but also some where it simply doesn't work. I have already tried 'plesk repair dns -y' and 'plesk repair installation', regenerate the keys. Also I have a domain that gives the error:

named[2037]: dns_dnssec_keylistfromrdataset: error reading keys/exampl.com/Kexample.com.+008+50383.private: file not found

I deleted the signed zone files for this domain, '/var/named/run-root/var/example.com.signed*' but the error still occurs.

In the attached files you see two domains with tewo different looking problems. The result is mixed with the debbug log from named.

 

[andreios]

Turns out the DNSKEYs are not saved correctly by Plesk, I can detect only one of the DNSKEYS as shown in Plesk in /var/keys/in-es.info/Kidomain.info
/*key
I have tried to regenerate the keys, and the files where replaced.

-rw-r--r--  1 bind root  602 Apr 10 08:15 Kidomain.info.+008+02066.key
-rw-------  1 bind root 1,8K Apr 10 08:15 Kdomain.info.+008+02066.private
-rw-r--r--  1 bind root  428 Apr 10 08:15 Kdomain.info.+008+03595.key
-rw-------  1 bind root 1012 Apr 10 08:15 Kdomain.info.+008+03595.private
-rw-r--r--  1 bind root  603 Apr 10 08:15 Kdomain.info.+008+32254.key
-rw-------  1 bind root 1,8K Apr 10 08:15 Kdomain.info.+008+32254.private

But still only one key of the DNSKEYs from Plesk are there. On working domains both keys are found there.
Where did the wrong key from?

 

[andreios]

Yesterday I generated a new KEY for some domains for which DNSSEC did not work anyway, this time with ECDSAP256SHA256. No change, the DS entries are still missing.

However, I also tested one of the domains where DNSSEC was working to see if it would change if I generated a new key. The domain seemed to have problems with DNSSEC, but no missing DS entries.

But since this afternoon, without me changing anything, this domain has disappeared from the internet. Internet DNS servers are suddenly not deliver A and AAAA records and others for this domain. When I search on the DNS server of my hoster, all entries are there.

But when I query other servers or look here, I only see RRSIG and DS entries, nothing else. DNS Record Lookup - ViewDNS.info

 

[andreios]

The Domain delivers still DS Records even after I deactivated DNSSEC with Plesk. The Domain thinks it is signed but is not that's a problem. Even if I activate DNSSEC it is no correctly singed as it seems.

 

[andreios]

We have solved this and all above issues by changing the registrar. What ever they did there, it was not very convincing, after all it seems like did not really understand what they where doing. Everything was fixed immediately after we changed the registrar. issued can be closed.