I've the next situation:
DA-1-server (ns1) (2 year a go installed)
- user with domain xxxxxx.nl
DA-2-server (ns2) (recently installed, month a go)
- user with domain magento.xxxxxx.nl
DNSSEC is enabled & correctly for working the domain, SSL included
The mayor problem is the subdomain, hosted on the second server:
Problem 1: I cant get SSL working
Error : CAA record prevents issuing the certificate: SERVFAIL
So, i added the (both) CAA records on the main server:
xxxxxx.nl. CAA 0 issue "letsencrypt.org"
xxxxxx.nl. CAA 0 issuewild "letsencrypt.org"
But that doesn't work... What am i doing wrong?
I tried it with a new domain/user account - thats working well.
Problem 2: DNSSEC giving problems
The analyzer gives the next errors (https://dnssec-analyzer.verisignlabs.com/magento.xxxxxx.nl)
- None of the 2 DNSKEY records could be validated by any of the 2 DS records
- The DNSKEY RRset was not signed by any keys in the chain-of-trust
The multi-server setup Automatically added the DS records from magento.xxxxxx.nl to the dns records of xxxxxx.nl
And the next errors:
- Nameserver ns1.reliahost.nl/136.144.171.59 returned a DS record created by algorithm 1 (SHA-1) which is deprecated, while it is still widely used. The DS record is for the DNSKEY record with keytag 25789 in zone magento.xxxxxx.nl.
- No DS record had a DNSKEY with a matching keytag.
- Delegation from parent to child is not properly signed (no_dnskey).
I tried a lot, searched etc.. but cant find any solution....
First what i need to do is upgrade the algorithm (SHA1) to SHA-256;
In the file /usr/local/directadmin/scripts/dnssec.sh i found this:
Do i need change ENC_TYPE to RSSHA256 only and re-run the script?
DA-1-server (ns1) (2 year a go installed)
- user with domain xxxxxx.nl
DA-2-server (ns2) (recently installed, month a go)
- user with domain magento.xxxxxx.nl
DNSSEC is enabled & correctly for working the domain, SSL included
The mayor problem is the subdomain, hosted on the second server:
Problem 1: I cant get SSL working
Error : CAA record prevents issuing the certificate: SERVFAIL
So, i added the (both) CAA records on the main server:
xxxxxx.nl. CAA 0 issue "letsencrypt.org"
xxxxxx.nl. CAA 0 issuewild "letsencrypt.org"
But that doesn't work... What am i doing wrong?
I tried it with a new domain/user account - thats working well.
Problem 2: DNSSEC giving problems
The analyzer gives the next errors (https://dnssec-analyzer.verisignlabs.com/magento.xxxxxx.nl)
- None of the 2 DNSKEY records could be validated by any of the 2 DS records
- The DNSKEY RRset was not signed by any keys in the chain-of-trust
The multi-server setup Automatically added the DS records from magento.xxxxxx.nl to the dns records of xxxxxx.nl
And the next errors:
- Nameserver ns1.reliahost.nl/136.144.171.59 returned a DS record created by algorithm 1 (SHA-1) which is deprecated, while it is still widely used. The DS record is for the DNSKEY record with keytag 25789 in zone magento.xxxxxx.nl.
- No DS record had a DNSKEY with a matching keytag.
- Delegation from parent to child is not properly signed (no_dnskey).
I tried a lot, searched etc.. but cant find any solution....
First what i need to do is upgrade the algorithm (SHA1) to SHA-256;
In the file /usr/local/directadmin/scripts/dnssec.sh i found this:
Do i need change ENC_TYPE to RSSHA256 only and re-run the script?
Last edited: