Articles in this section

See more

Domain is not accessible from some locations after switching to Plesk nameservers due to DNSSEC misconfiguration

Avatar
Daniel Yordanov
Updated
Plesk for Linux kb: technical ext: sslit

Applicable to:

  • Plesk for Linux

Symptoms

  • Plesk website example.com is not reachable in some locations. A and/or NS DNS records are not available worldwide:

    # dig +short example.com
    Empty output

    # dig NS example.com +short
    Empty Output

  • Issuing/renewing a Let's Encrypt certificate may fail with the following error:

    PLESK_ERROR: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
    ...
    Status: 400
    Detail: DNS problem: SERVFAIL looking up A for example.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for example.com - the domain's nameservers may be malfunctioning

    PLESK_ERROR: Unable to issue an SSL/TLS certificate for example.com
    ...
    Status: 400
    Detail: DNS problem: looking up A for example.com: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for example.com DNSSEC: DNSKEY Missing

  • The nameservers that are configured for the domain on the side of its domain registrar are still external (for example: ns1.externalnameserver.com  and ns2.externalnameserver.com ) and therefore the active primary DNS zone for the domain is the external one and not the local one on the side of the Plesk server

  • DNS was managed externally previously and nameservers have been recently changed to Plesk nameservers: ns1.example.com and ns2.example.com.

Cause

The issue is usually caused by one of the following:

  •   The nameservers that are configured for the domain on the side of the domain registrar for the domain are still external ones. This makes the active primary DNS zone external and the general configuration on the side of the domain registrar incorrect.

    OR

  •    The DNSSEC that was used on the external DNS zone side earlier is still active. The domain contains a DS record in its zone. The DNS zone is signed on the external DNS side, not in Plesk:

# whois example.com | grep 'DNSSEC\|Name'
Domain Name: EXAMPLE.COM
Name Server: ns1.externalnameserver.com
Name Server: ns2.externalnameserver.com
DNSSEC: signedDelegation
DNSSEC DS Data: 2371 8 2 05018AD82430B60DC43FC0816C98797BC62EB67E57AA98AABC82D7ACD5A8CBC1

Resolution

It is mandatory that you first go to the domain registrar for the domain and change the nameservers (DNS servers) that the domain is configured to use on that end from ns1.externalnameserver.com and ns2.externalnameserver.com to ns1.example.com and ns2.example.com, so that the domain can start using the primary DNS zone on the side of your Plesk server instead of some other primary DNS zone.

If issues persist afterwards, you may apply one of the solutions below:

To completely disable DNSSEC

Remove the DS record from the parent zone on the external DNS side, for example, using the domain registrar's panel.

To fix DNSSEC
  1. Remove old DS records from the parent zone on the external DNS side.
  2. Log into Plesk.
  3. Install the DNSSEC extension.
  4. Configure DNSSEC for the domain using the following guide.

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles