Articles in this section

See more

Domain is not accessible from some locations after switching to Plesk nameservers due to DNSSEC misconfiguration

Avatar
Anastasiia Zyrianova
Updated
Follow
Plesk for Linux kb: technical ext: sslit

Applicable to:

  • Plesk for Linux

Symptoms

  • Plesk website example.com is not reachable in some locations. A and/or NS DNS records are not available worldwide:

    # dig +short example.com
    Empty output

    # dig NS example.com +short
    Empty Output

  • Issuing/renewing a Let's Encrypt certificate may fail with the following error:

    PLESK_ERROR: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed. Details
    Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/122747466376.
    Details:
    Type: urn:ietf:params:acme:error:dns
    Status: 400
    Detail: DNS problem: SERVFAIL looking up A for example.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for example.com - the domain's nameservers may be malfunctioning

  • DNS was managed externally previously and nameservers have been recently changed to Plesk nameservers: ns1.example.com and ns2.example.com.

Cause

The issue is caused by the DNSSEC that was used on the external DNS side earlier. The domain contains a DS record in its zone. The DNS zone is signed on the external DNS side, not in Plesk:

# whois example.com | grep 'DNSSEC\|Name'
Domain Name: EXAMPLE.COM
Name Server: ns1.externalnameserver.com
Name Server: ns2.externalnameserver.com
DNSSEC: signedDelegation
DNSSEC DS Data: 2371 8 2 05018AD82430B60DC43FC0816C98797BC62EB67E57AA98AABC82D7ACD5A8CBC1

The following errors are provided by a free online checker, for example, https://dnsviz.net/:

PLESK_ERROR: example.com/A: No RRSIG covering the RRset was returned in the response. (203.0.113.2, UDP_-_EDNS0_4096_D_KN)

PLESK_ERROR: com to example.com: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (203.0.113.2, UDP_-EDNS0_4096_D_KN, UDP-EDNS0_512_D_KN)
com to example.com: The DS RRset for the zone included algorithm 8 (RSASHA256), but no DS RR matched a DNSKEY with algorithm 8 that signs the zone's DNSKEY RRset. (203.0.113.2, UDP-EDNS0_4096_D_KN, UDP-_EDNS0_512_D_KN)

Resolution

Apply one of the solutions below:

To completely disable DNSSEC

Remove the DS record from the parent zone on the external DNS side, for example, using the domain registrar's panel.

To fix DNSSEC
  1. Remove old DS records from the parent zone on the external DNS side.
  2. Log into Plesk.
  3. Install the DNSSEC extension.
  4. Configure DNSSEC for the domain using the following guide.

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles