Applicable to:
- Plesk for Linux
Symptoms
-
Plesk website
example.com
is not reachable in some locations. A and/or NS DNS records are not available worldwide:# dig +short example.com
Empty output# dig NS example.com +short
Empty Output -
Issuing/renewing a Let's Encrypt certificate may fail with the following error:
PLESK_ERROR: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
...
Status: 400
Detail: DNS problem: SERVFAIL looking up A for example.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for example.com - the domain's nameservers may be malfunctioning
PLESK_ERROR: Unable to issue an SSL/TLS certificate for example.com
...
Status: 400
Detail: DNS problem: looking up A for example.com: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for example.com DNSSEC: DNSKEY Missing - The nameservers that are configured for the domain on the side of its domain registrar are still external (for example:
ns1.externalnameserver.com
andns2.externalnameserver.com
) and therefore the active primary DNS zone for the domain is the external one and not the local one on the side of the Plesk server -
DNS was managed externally previously and nameservers have been recently changed to Plesk nameservers:
ns1.example.com
andns2.example.com
.
Cause
The issue is usually caused by one of the following:
- The nameservers that are configured for the domain on the side of the domain registrar for the domain are still external ones. This makes the active primary DNS zone external and the general configuration on the side of the domain registrar incorrect.
OR
- The DNSSEC that was used on the external DNS zone side earlier is still active. The domain contains a DS record in its zone. The DNS zone is signed on the external DNS side, not in Plesk:
# whois example.com | grep 'DNSSEC\|Name'
Domain Name: EXAMPLE.COM
Name Server: ns1.externalnameserver.com
Name Server: ns2.externalnameserver.com
DNSSEC: signedDelegation
DNSSEC DS Data: 2371 8 2 05018AD82430B60DC43FC0816C98797BC62EB67E57AA98AABC82D7ACD5A8CBC1
Resolution
It is mandatory that you first go to the domain registrar for the domain and change the nameservers (DNS servers) that the domain is configured to use on that end from ns1.externalnameserver.com
and ns2.externalnameserver.com
to ns1.example.com
and ns2.example.com
, so that the domain can start using the primary DNS zone on the side of your Plesk server instead of some other primary DNS zone.
If issues persist afterwards, you may apply one of the solutions below:
Remove the DS record from the parent zone on the external DNS side, for example, using the domain registrar's panel.
- Remove old DS records from the parent zone on the external DNS side.
- Log into Plesk.
- Install the DNSSEC extension.
- Configure DNSSEC for the domain using the following guide.
Comments
0 comments
Please sign in to leave a comment.