Hello to all. maybe you can help me to find a solution for this: I am using an ISPConfig 3.1 installation on Debian Buster minimal. I have got DNSSEC setup. Everything so far is working fine, except if I want to setup a subdomain website with its own webspace, which does not resolve (Server not found error). I did add an A record to my DNS to point it to my IP host: subdomain IP: 1.2.3.4 TTL: 3600 Active: ticked ( I also tried with host: subdomain.domain.tld. when host: subdomain did not work) I then created a new website with domain: subdomain.domain.tld and the most basic settings as follows: Server: server1.mydomain.com Client: client IPv4-Address: * IPv6-Address: Domain: subdomain.domain.tld Document Root: /var/www/clients/client1/web2 Harddisk Quota: -1 Traffic Quota: -1 CGI: No SSI: No Perl: No Ruby: No Python: No SuEXEC: YES Own Error-Documents: YES Auto-Subdomain: None SSL: No Let's Encrypt SSL: No PHP: Disabled Web server config: Active: YES BTW if I redirect subdomain.domain.tld to domain.tld/subdomain that works just fine, but I would like to have an own webroot (like /var/www/clients/client1/web2/web/ ) for subdomain.domain.tld apart from the webroot of domain.tld ( (like /var/www/clients/client1/web1/web/ ) I have tried to do service bind9 reload and service bind9 restart, but to no avail. So right now I am investigating where I missed something or if this is a feature of ISPConfig that I am not understanding rightly could you point me to a good tutorial (apart from the ISPConfig3.1 tut, which I already have consulted - hopefully not omitting some info that would make this thread uneccessary. Thank you!
But this means you have a DNS problem and not a problem with setting up a website in ISPConfig as you mentioned in the headline. When the request from the browser does not even reach your server, as that's what server not found in our browser means, then the issue is not related to setting up a website in ISPConfig. Check your DNS zone on the authoritative DNS server of that domain (this is most likely the DNS server at the company where you rented that domain and not the BIND server on your ispconfig system) again and take care that you waited 24 hours after you added the A-Record to ensure that the new DNS record has been propagated to the DNS mirrors.
Thank you for fast reply. I waited >24 hours every time I did a change. checked the DNS zone, this is the pri.domain.tld file: --------------------------- $TTL 3600 @ IN SOA ns1.mydomain.com. web.domain.tld. ( 2020100402 ; serial, todays date + todays serial # 3600 ; refresh, seconds 540 ; retry, seconds 604800 ; expire, seconds 3600 ) ; minimum, seconds ; subdomain 3600 A 1.2.3.4 mail 3600 A 1.2.3.4 domain.tld. 3600 A 1.2.3.4 www 3600 A 1.2.3.4 domain.tld. 3600 CAA 0 issue "letsencrypt.org" domain.tld 3600 DS 8888 13 1 Digest§ domain.tld 3600 DS 8888 13 2 Digest$ domain.tld. 3600 MX 10 mail.domain.tld. domain.tld. 3600 NS ns1.mydomain.com. domain.tld. 3600 NS ns2.mydomain.com. default._domainkey.domain.tld. 3600 TXT "v=DKIM1; t=s; p=Q$ domain.tld. 3600 TXT "v=spf1 mx a ~all" _dmarc.domain.tld. 3600 TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]$ $INCLUDE Kdomain.tld.+013+8888.key $INCLUDE Kdomain.tld.+013+88888.key -------------------------------------------- domain.tld resolves fine, just the subdomain does not resolve, even so the A- record is in the zone file. ns1.mydomain.com and ns2.mydomain.com are on the same ISPConfig installation as domain.tld I set "glue records" for ns1.mydomain.com and ns2.mydomain.com at the registrar's web portal, the only bad thing is that I used the same IP address 1.2.3.4 there for both ns1 and ns2, since right now I only have one IP address. I will try to remedy this and get another (second) IP-address from a different subnet next week. server1.mydomain.com ns1.mydomain.com and ns2.mydomain.com have an A-record in the Zone file of mydomain.com. mydomain.com and domain.tld have both their nameservers setup to "custom" at the registrars to ns1.mydomain.com and ns2.mydomain.com. I know this setup is not ideal but the best I could come up for now. Thank you again for your insights ( I am investigating this "challenge" since days and it drives me nuts... )
Instead of Code: subdomain write Code: subdomain.domain.com. and remember dot at end of FQDN. See my signature for link to DNS tutorial, it explains and has info on how to test.
Can you share the real domain name so we can query it? Adding a second address would not help a lot for redundancy. You need 2 servers, on separate locations, to set up your name servers properly.
And the question that remains is if your ispconfig server is really the authoritative dns server for that domain, because otherwise, it makes no sense to add the subdomain in the zone at ispconfig s it needs to be added at the authoritative dns server instead.
Yes, thank you for the advise. I did change it to subdomain.domain.tld. again, like 10 hours ago. I have to wait some time more to see results.
@Th0m well I digged and dig +trace and the nameservers supposedly are working. Tomorrow I will have more time and put the output here. Also use DNS Checker and some other tools, and the domain.tld and mydomain.com are resolving fine, I get email. DNSSEC looks all green. It is really strange, like there is something "stuck" and it cant resolve the subdomain. There was an incident at the server about two weeks ago, when the ISP did pull through a maintenance job and afterwards my VPS was in a read only status. It took them couple of hours to clear this. Can not get you the real domain name in the forum, unfortunately. @Taleman Thank you for the advise. I tried with subdomain.domain.tld. before but did again today, so lets see if it brings something. And yes, I studied your article about DNS Server setup. Good info. @till I am out of ideas for now, and will try at another server the next days (asap). The current NS of mydomain.com is the authoritative server for domain.tld if not, it would not show up in DNS checker Start of authority I guess?: --------------------------------------- id 23456 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION domain.tld. IN SOA ;ANSWER domain.tld. 3600 IN SOA ns1.mydomain.com. web.domain.tld. 2020091108 3600 540 604800 3600 ;AUTHORITY domain.tld. 3600 IN NS ns1.mydomain.com. domain.tld. 3600 IN NS ns2.mydomain.com. ;ADDITIONAL ns1.mydomain.com. 3599 IN A 1.2.3.4 ns2.mydomain.com. 3599 IN A 1.2.3.4 --------------------------------------------------------- mydomain.com is on the same server1.mydomain.com as domain.tld There exists an A record for server1 and ns1.mydomain.com. and ns2.mydomain.com. at the Zone for mydomain.com. I for sure will report back on the issue here.
Do not reinstall, I guess this will not help. Please post your real domain name incl. subdomain, so we can test it and see what it returns.
Hello all, sorry for the long silence, was quite busy with other stuff. I managed to resolve the subdomain challenge and now those are getting happily resolved. Here my 2 cents what I have learned so far (Debian Buster Minimal, bind9, DNSSEC: - Be patient with ISPconfig. If you change some configuration, better wait until ISPConfig is ready with its internal works, so there are no "hickups". - under /etc/bind/ - in my installation of ISPConfig 3.1 I have the following(among others) file types: + unsigned ( e.g. pri.mydomain.com) + signed (e.g. pri.mydomain.com.signed) - only if you work with DNSSEC I suppose? + error (e.g. pri.mydomain.com.error) + keys (e.g. Kmydomain.com.+13+[keyid].key and Kmydomain.com.+13+[keyid].private + DS records (e.g.dsset-mydomain.com.) Whenever you make an error in one of your zone files in ISPConfig - for example forgetting a final full stop behind like writing subdomain.domain.tld instead of doing it correctly like subdomain.domain.tld. (Thank you @Taleman) then an *.error file gets generated and the zone file is not taken into consideration for an update. So you have to find all errors and correct them all, before the *.error file will disappear and the update of the zone record takes place. You see this if the *.signed Also check for automatically (?) made records by LetsEncrypt (LE), if those are all ok and looking good. - a lot of my "mea culpa" has to do with not understanding the works of DNSSEC fully. I think it is important to switch on DNSSEC in the last possible moment, when all the DNS configuration and LE and email and Webs etc is working plain OK. If you do it earlier, then be prepared to resign all the chain after every change in the zone file. I use bind9 ( I have read PowerDNS is different) and found that in order to resign the zone file, I first needed to take the checkmarks out of DNSSECsigning in the Zone formular of ISPConfig, saved the form, second: I needed to delete the key files of the zone to be resigned with ssh (e.g. # rm /etc/bind/Kdomain.tl*) and at one time I also had to cp /etc/bind/dsset-mydomain.com /etc/bind/dsset-mydomain.com.bak && rm /etc/bind/dsset-mydomain.com so mydomain.com would finally get signed with a new Serial. If the DNS check test at mxtoolbox.com spits out old Serials - different from the ones in your zone form in ISPConfig, then you definitely need to check in /etc/bind for errors and signed files. - now I only have to solve the LE challenge, because the SSL (wildcard)certificates are working for one site with subdomains, but not for the other site (nor subdomains). It is like the process of updating or giving ou of certs by LE is stuck somewhere. Back to study. Thank you @till, @Th0m, @Taleman for your good advise - it was well used. I hope to contribute something here as well in the future, when I am evolved from the noob state.
