Cloudflare authoritative DNS SERVFAILs on DS record

I’m working on a project where I need to delegate a zone from one of my sites in Cloudflare. I’ve added NS and A/AAAA glue records in Cloudflare and the delegation works perfectly. The problem arises when I add the DS record for the delegation.

Using DiG, this is what I see:

dig - returns the NS and glue records as expected

dig +dnssec - dig times out

dig ds - SERVFAIL

dig ds +dnssec - dig times out

Basically, whenever the DS should be returned, the server times out or fails. I have tried this from my home connection, from which I reach server ID SYD01, and from a Linode, from which I reach SIN02, and achieve the same results from both.

I initially thought it might be an issue with my server(despite the fact that the delegation should be able to be served regardless of the child server), however I have run a packet capture and don’t see a single packet coming to my server from Cloudflare whilst attempting the above dig’s.

The DS record I added to Cloudflare is as follows:

Key tag: 16087
Algorithm: 13
Digest type: 2
Digest: DEBD7DBDB22FBF57D45AB2E9F26214C09D1A5F10AE5A1FBAB32224D662B9C638

Well, I had another look this morning, and I initially managed to get a few test DS records working on other domains with dummy data. I’ve now got the main DS record for my delegation working and figured out what the problem was:

If the digest entered into the Cloudflare dashboard has a space in it (as it is commonly displayed by dig and other software) it will not work. You simply need to remove the spaces in the digest before saving the record.

It looks like Cloudflare have tried to automatically remove spaces, as when viewing a DS record that was added with spaces in the digest, the digest is shown as a continuous string, but clearly some part of Cloudflare’s DNS still has spaces in the digest value which causes the SERVFAIL.

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.