Articles in this section

Domain is not accessible from some locations after switching to Plesk nameservers due to DNSSEC misconfiguration

Daniel Yordanov
Updated
Plesk for Linux kb: technical ext: sslit

Applicable to:

  • Plesk for Linux

Symptoms

  • Plesk website example.com is not reachable in some locations. A and/or NS DNS records are not available worldwide:

    # dig +short example.com
    Empty output

    # dig NS example.com +short
    Empty Output

  • Issuing/renewing a Let's Encrypt certificate may fail with the following error:

    PLESK_ERROR: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
    ...
    Status: 400
    Detail: DNS problem: SERVFAIL looking up A for example.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for example.com - the domain's nameservers may be malfunctioning

    PLESK_ERROR: Unable to issue an SSL/TLS certificate for example.com
    ...
    Status: 400
    Detail: DNS problem: looking up A for example.com: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for example.com DNSSEC: DNSKEY Missing

  • DNS was managed externally previously and nameservers have been recently changed to Plesk nameservers: ns1.example.com and ns2.example.com.

  • DNSSEC is still active on the external DNS side, not on the Plesk side:

    # whois example.com | grep 'DNSSEC\|Name'
    Domain Name: EXAMPLE.COM
    Name Server: ns1.externalnameserver.com
    Name Server: ns2.externalnameserver.com
    DNSSEC: signedDelegation
    DNSSEC DS Data: 2371 8 2 05018AD82430B60DC43FC0816C98797BC62EB67E57AA98AABC82D7ACD5A8CBC1

Cause

The issue commonly appears when the active nameservers that are configured for the domain on the side of the domain registrar for the domain are still external ones for some locations, because the global domain propagation has not passed everywhere yet.

The global domain propagation is often unable to pass when the DNSSEC that was used on the external DNS zone side earlier is still active.

Resolution

It is mandatory that you first go to the domain registrar for the domain and do the following:

1. Change the nameservers (DNS servers) that the domain is configured to use on that end from ns1.externalnameserver.com and ns2.externalnameserver.com to ns1.example.com and ns2.example.com, so that the domain can start using the primary DNS zone on the side of your Plesk server instead of some other primary DNS zone.

2. Disable DNSSEC completely by removing the DS record from the parent zone on the external DNS side (this is done via the the domain registrar's own panel).

3. After the steps above have been completed and you have confirmed that the domain is using the new nameservers all around the globe (via a website such as this one), if you want to enable DNSSEC for this domain in Plesk, you can do the following:

3.1. Log into Plesk

3.2. Install the DNSSEC extension.

3.3. Configure DNSSEC for the domain using this guide

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.