• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Forwarded to devs DNSSEC and CAA not working

Status
Not open for further replies.
PReimers

PReimers

New Pleskian
TITLE:
CAA entry is not covered by DNSSEC
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Ubuntu 16.04, Plesk 17.8.11, MU #1
PROBLEM DESCRIPTION:
After adding a CAA entry in DNS (and waiting serval days) a DNS query responds with:
id 12345
opcode QUERY
rcode SERVFAIL
flags QR RD RA
;QUESTION
example.com. IN CAA
;ANSWER ;
AUTHORITY ;
ADDITIONAL
Click to expand...

STEPS TO REPRODUCE:
  1. Enable (and configure) DNSSEC
  2. Add a CAA Entry to the DNS
  3. Wait for the DNS to update
ACTUAL RESULT:
The CAA record is not covered by the DNSSEC. This causes a SERVFAIL
EXPECTED RESULT:
The CAA record should be covered by the DNSSEC. No DNS Error should occur.
ANY ADDITIONAL INFORMATION:
Current Workaround: Disable DNSSEC
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
Thank you for report.
Could you reproduce it on your server with enabled debug in panel.ini and provide panel.log here?
 
Please give me some time to reproduce it.

Currently I disabled DNSSEC on the affected domains.

I‘ll post an update as soon as it is available.
 
Nevermind.

Out of a sudden, I can't reproduce it anymore :confused:

Maybe I was too quick in my first test. (When Adding the CAA Entry to a DNSSEC signed domain)

Please close this thread/ticket -> can't reproduce.

What I've tested:
Test 1 (new domain):
  1. Register a new domain
  2. Add Domain to Plesk
  3. Add CAA Entry to DNS
  4. Wait for DNS to update
  5. Add DNSSEC
  6. Wait for DNS to update
  7. Test -> everything correct
Test 2 (domain with CAA entry / without DNSSEC):
  1. Add DNSSEC
  2. Wait for DNS to update
  3. Test -> everything correct

Btw. The panel.log didn't show anything.
 
Last edited:
Status
Not open for further replies.

Similar threads

Polli
Nameserver DNS entrys for subdomains are set wrong when plesk is primary DNS
Replies
2
Views
831
Sebahat.hadzhi
Sebahat.hadzhi
Ehud
dnssec-enable + filter-aaaa-on-v4 yes; used in /etc/bind/named.conf.options while a new string should be used: dnssec-validation yes;
Replies
6
Views
4K
Ehud
Ehud
T
Question Reverse DNS is not a valid Hostname (crazy...)
Replies
4
Views
2K
Tomas.Michal
T
C
Issue Slave DNS Manager
Replies
1
Views
585
AYamshanov
AYamshanov
F
Issue no External DNS
Replies
4
Views
901
freebs
F
Back
Top