Symptoms
-
Plesk website
example.comis not reachable in some locations. A and/or NS DNS records are not available worldwide:# dig +short example.com
Empty output# dig NS example.com +short
Empty Output -
Issuing/renewing a Let's Encrypt certificate may fail with the following error:
Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed.
...
Status: 400
Detail: DNS problem: SERVFAIL looking up A for example.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for example.com - the domain's nameservers may be malfunctioning
Unable to issue an SSL/TLS certificate for example.com
...
Status: 400
Detail: DNS problem: looking up A for example.com: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for example.com DNSSEC: DNSKEY Missing -
DNS was managed externally previously and nameservers have been recently changed to Plesk nameservers:
ns1.example.comandns2.example.com.
Cause
The issue is caused by the DNSSEC that was used on the external DNS side earlier. The domain contains a DS record in its zone. The DNS zone is signed on the external DNS side, not in Plesk:
# whois example.com | grep 'DNSSEC|Name'
Domain Name: EXAMPLE.COM
Name Server: ns1.externalnameserver.com
Name Server: ns2.externalnameserver.com
DNSSEC: signedDelegation
DNSSEC DS Data: 2371 8 2 05018AD82430B60DC43FC0816C98797BC62EB67E57AA98AABC82D7ACD5A8CBC1
Resolution
Apply one of the solutions below:
To completely disable DNSSEC
Remove the DS record from the parent zone on the external DNS side, for example, using the domain registrar's panel.
To fix DNSSEC
- Remove old DS records from the parent zone on the external DNS side.
- Log into Plesk.
- Install the DNSSEC extension.
- Configure DNSSEC for the domain using the following guide.