Cant reach my website (DNSSEC)

Hello, I have my website on Cloudflare workers and yesterday when i tried to access my website everything worked fine, however my stripe webhook could not reach it. I added whitelist for stripe IPs and that did not help. However, today my website stopped working entirely from my network. I am suspecting that there is problem with DNSSEC, but i am pretty sure i setted up everything correctly so I’d like to ask if maybe someone from Cloudflare team could look where is the problem why I cannot access my website now for nearly 40 hours. Thank you

Hi @brebera

I am quite experienced with building serverless websites using Cloudflare Workers, Shopify and Stripe.

From your you have described, I don’t think its an issue between Stripe and your Worker but rather something on your Cloudflare end, be it the Worker script itself, or the DNS, or something else in your Cloudflare setup.

Would you mind sharing the domain for your website, I can start by having a look at that end and checking your DNSSEC as you said.

Hello, I am not feeling quite comfortable with sharing access to my dashboard to anyone outside Cloudflare team, so I can just try to describe you what I discovered so far. Worker itself is working fine as far as i know (while running on workers.dev everthing seems just fine).

I setted up my domain by setting nameservers and (public key which was required) on some less known provider, but I am pretty convinced i did it right (not sure though). The website itself works when I try to connect from my mobile data (I thought it’s just waiting time for DNS to be fully available, but as it’s now for like two days already I think that’s not the case) but won’t work anywhere else when I’m on WiFi.

I’ve seen other preople here on Cloudflare community having issues with DNSSEC lately and discovered this tool which is supposed to show issues with DNS - DNSVIZ. This just confirms there is an issue with DNSSEC, but I’ve got no idea how to fix it. I would appreciate any help you can provide me. Thank you in advance.

I wasn’t asking for access to your Cloudflare dashboard. I was just asking if you can share (tell me) your domain name.

Thanks for sharing the domain. I will have a look now. It is likely DNSSEC from what you described.

Can you please send a screenshot of your DS record entry at your registrar, feel free to censor the image field values.

You can check all the information here

And whats the status in your Cloudflare DNS dashboard saying?

Does it, or did it ever say “Success! example.com is protected with DNSSEC.”

It says “DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour.” but for much longer than a hour.

But the DS records should be alright according to DNSVIZ, shouldn’t they?

If I ignore DNSSEC on my end, then your website is working fine.

I think you need to re-check your DS records match in your Registrar what you have been provided by Cloudflare. Click on the “DS Record” button beside “Help” to reveal your DS records again.

Check your “Key tag” value is correct

Yes, the public key should be matching what’s in WHOIS and in the registrar dashboard. Algorithm provided is what I’ve done according to guide here on Cloudflare.

Double check your key tag please.

Okay, my Cloudflare dashboard says ---- for my key tag, but i have no idea how to set/see key tag at my provider.

The key tag value is the issue.

If you provider doesn’t let you view/edit your DS record from your customer portal, then best to just delete your DS record in the portal and then re-create it.

“Customer portal” referring to your registrars backend, not Cloudflare.

1 Like

Okay my registrar said thats not possible to set key tag on this type of domain.

Which means only thing i can do is remove whole KEYSET to make my site working, which is not ideal but it should at least work now.

Is there any way to force key tag value thru any of these? (flag, algorithm, protocol, public key)

//EDIT: Okay just removed whole DNSSEC and website is working, but there is an issue with SSL certificate not being present and i hope that will fix itself

I think your registrar is just saying it to you so they don’t need to make any effort to help. Did you try deleting the DS record yourself and re-entering it all again correctly?

From your Cloudflare dashboard, click on the “SSL/TLS” menu option, and then the “Edge Certificates” sub menu option. From this page, check that your “Always Use HTTPS” option is switched ON.

1 Like

Yes I discovered that like a minute ago that it was not enabled and safari for some reason does not prefer https. Thank you. I just have a question - as the website is working now and that’s essential - Is there any issue for production with DNSSEC not being enabled?

Doesn’t really matter for you, a pizza restaurant.

You shouldn’t have any issue turning it on, just make sure all the values are entered into your registrar side correctly before adding the record. If your registrar doesn’t let you type all the values into the respective fields then just abort the setup process.

Your issue before was simply that you typed one of the digits incorrectly for the “Key Tag”, you can try again.

1 Like