Applicable to:
- Plesk for Linux
Symptoms
-
Plesk website
example.com
is not reachable in some locations. A and/or NS DNS records are not available worldwide:# dig +short example.com
Empty output# dig NS example.com +short
Empty Output -
Issuing/renewing a Let's Encrypt certificate may fail with the following error:
PLESK_ERROR: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed. Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/122747466376.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: SERVFAIL looking up A for example.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for example.com - the domain's nameservers may be malfunctioning -
DNS was managed externally previously and nameservers have been recently changed to Plesk nameservers:
ns1.example.com
andns2.example.com
.
Cause
The issue is caused by the DNSSEC that was used on the external DNS side earlier. The domain contains a DS record in its zone. The DNS zone is signed on the external DNS side, not in Plesk:
# whois example.com | grep 'DNSSEC\|Name'
Domain Name: EXAMPLE.COM
Name Server: ns1.externalnameserver.com
Name Server: ns2.externalnameserver.com
DNSSEC: signedDelegation
DNSSEC DS Data: 2371 8 2 05018AD82430B60DC43FC0816C98797BC62EB67E57AA98AABC82D7ACD5A8CBC1
The following errors are provided by a free online checker, for example, https://dnsviz.net/:
PLESK_ERROR: example.com/A: No RRSIG covering the RRset was returned in the response. (203.0.113.2, UDP_-_EDNS0_4096_D_KN)
PLESK_ERROR: com to example.com: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (203.0.113.2, UDP_-EDNS0_4096_D_KN, UDP-EDNS0_512_D_KN)
com to example.com: The DS RRset for the zone included algorithm 8 (RSASHA256), but no DS RR matched a DNSKEY with algorithm 8 that signs the zone's DNSKEY RRset. (203.0.113.2, UDP-EDNS0_4096_D_KN, UDP-_EDNS0_512_D_KN)
Resolution
Apply one of the solutions below:
Remove the DS record from the parent zone on the external DNS side, for example, using the domain registrar's panel.
- Remove old DS records from the parent zone on the external DNS side.
- Log into Plesk.
- Install the DNSSEC extension.
- Configure DNSSEC for the domain using the following guide.
Comments
0 comments
Please sign in to leave a comment.