Symptoms
- Plesk Obsidian running on a Debian-based Linux operating system
- DNS zone file of the Plesk domain is not updated and the below error appears in the
/var/log/plesk/panel.log
when adding a test record, for example, a TXT record:[2023-10-20 09:14:00.293] 199026:653228b81861d ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/dnsmng' '--update' 'example.com' '--without-reverse'] with exit code [1]
[2023-10-20 09:14:00.293] 199026:653228b81861d ERR [panel] '/opt/psa/admin/bin/dnsmng' '--update' 'example.com' '--without-reverse' failed with code 1.
stdout:
stderr:
[20-Oct-2023 09:14:00 Europe/Madrid] PHP Fatal error: Uncaught PleskMultipleException: Error during example.com updateZone: dnsmng failed: in /opt/psa/admin/plib/Service/Dns/Connector/Plesk.php:14
Stack trace:
#0 /opt/psa/admin/plib/Service/Dns/Connector/Proxy.php(215): Service_Dns_Connector_Plesk->commitChanges()
#1 [internal function]: Service_Dns_Connector_Proxy->commitChanges()
#2 {main}
thrown in /opt/psa/admin/plib/Service/Dns/Connector/Plesk.php on line 14
- The following messages can be found in the
/var/log/syslog
or messages:dnsmng[214450]: Dns zone candidate file '/var/named/run-root/var/example.com.next' is not valid. Changes are reverted. Reason: dnsmng[214450]: > /var/named/run-root/var/example.com.next:36: DS record at top of zone (example.com) dnsmng[214450]: > /var/named/run-root/var/example.com.next:37: DS record at top of zone (example.com) dnsmng[214450]: > /var/named/run-root/var/example.com.next:38: DS record at top of zone (example.com) dnsmng[214450]: > /var/named/run-root/var/example.com.next:39: DS record at top of zone (example.com) dnsmng[214450]: > zone example.com/IN: loading from master file /var/named/run-root/var/example.com.next failed: at top of zone dnsmng[214450]: > zone example.com/IN: not loaded due to errors. dnsmng[214450]: Candidate dns zone file for 'example.com' is invalid. Likely there is some inconsistency in the database
Cause
Incorrectly configured DNSSEC extension.
A DNS zone cannot include DS records for itself.
Delegation Signer (DS) records should be placed only in the parent zone (for example.com
, the parent zone would be .com
) of the domain.
Resolution
Configure DNSSEC for the affected domain by strictly following the information on the following page of the Plesk Obsidian documentation:
Configuring DNSSEC for a Domain | Plesk Obsidian documentation