Applicable to:
- Plesk Obsidian for Linux
- Plesk Onyx for Linux
Symptoms
-
DNSSEC is enabled in Plesk
-
While Plesk applying new DNS records the following can be found in
/var/log/syslogor/var/log/messages:CONFIG_TEXT: systemd[1]: Reloading BIND Domain Name Server.named
[12505]: received control channel command 'reload'named
[12505]: loading configuration from '/etc/named.conf'
systemd[1]: bind9.service: Reload operation timed out. Killing reload process.
systemd[1]: Reload failed for BIND Domain Name Server. -
Then all websites stopped resolving:
# dig @localhost example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost example.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Cause
While signing DNS zone with DNSSEC - BIND generates signatures and can hang on /dev/random due to lack of entropy.
Resolution
-
Connect to the server via SSH
-
Edit file
/etc/named.confand specify "random-device /dev/urandom"in 'options' section:CONFIG_TEXT: options { allow-recursion { localhost; }; random-device "/dev/urandom";
-
Restart the service:
# service bind9 restart
OR
# service named-chroot restart
Note: As an option, it is possible to install haveged package which would increase entropy on the server.
Mind that such package is developed by 3rd-party and was not tested with Plesk.
Comments
4 comments
Why isn't one of these options the standard setting?
Ad 1)
Bind only allows exactly ONE option block in its config file. However, the Plesk-defined file /etc/named.conf has this block in that part of the file that is automatically changed by Plesk. Thus, it is questionable if the settings from 1) and 2) will persist if Plesk updates /etc/named.conf!
Ad 2)
haveged could be a required package for Plesk installations!
@b_p I have checked on test environment that /etc/named.conf fine is not being overwritten during installation of Plesk MUs, updating of DNS settings via Plesk UI, re-installing of bind9 package.
I have reported such behavior to our developers and such behavior will be improved in future release.
Thank you for the input.
@Nikolay
If I have a look at /etc/named.conf, the first lines look like this
In order to define the random device, you need to include that in the options section shown above in your code example.
However, as the Plesk-generated code snippet above shows, an option section is already defined in a file section that will be overwritten when you change settings in the Plesk UI. Thus, adding your proposed line to the file is possible but expected to disappear once you change the DNS settings. Now one could think "well, then let's just add another options section in custom directives part (which is supposed to be kept during changes in Plesk). However, that's not possible since the options section can only be defined once!
@b_p,
As Nikolay mentioned, `/etc/named.conf` is not being overwritten so it is possible to keep `random-device "/dev/urandom";` string in the main `options` section.
Please sign in to leave a comment.