Cloudflare cuts off dns announcement

Even with a small request test, Cloudflare cuts the dns announcement to protect itself,
this dns announcement stop can last for days and can cover all locations (countries),
closing the site with her own hand.

it is losing traffic to the website and Cloudflare does not explicitly state this unwritten rule.

it is simply abused to take websites offline and this trust breaker.

Has it occurred to you that it may not be Cloudflare, but that your configuration might not be working?

Which is actually accurate, as your DNSSEC configuration is not properly set.

2 Likes

It’s not a conspiracy. Your DNSSEC is broken.

4 Likes

This issue has nothing to do with dns sec, I just ran a request test with the wrk tool on my own server for testing purposes and it cut the dns announcement instantly.

This can take even longer, days.

in fact, it was announced in all countries a short time ago.

It has everything to do with DNSSEC. As already mentioned, your configuration is not correct and hence resolution won’t work either. You need to fix that.

2 Likes
$ resolvectl query fs0.net
fs0.net: resolve call failed: DNSSEC validation failed: missing-key
2 Likes

I’m not using dnssec anyway, I’ve never used it.

Care to explain this then?

DNSSEC: signedDelegation

1 Like

There is no point in discussing this until you have fixed your DNSSEC configuration. This is not a Cloudflare issue right now. Fix your setup and should you then still have an issue, then this can certainly be discussed.

1 Like

Your registrar (Google Domains) has published DS records for fs0.net - this means that DNSSEC is enabled,but you are missing the DNSKEY records within Cloudflare for DNSSEC to work properly. since writing this, it looks like you’ve added the DNSKEY records.

Follow Set up DNSSEC security - Google Domains Help for steps for fixing your DNSSEC.

If you’d like to verify this yourself, run the below dig command:

dig DS fs0.net @1.1.1.1 +trace

You’ll notice that the lookup stops at your TLD’s root server and never reaches Cloudflare - this is how DS records work and indicates that Cloudflare had no part in enabling it.

fs0.net.		86400	IN	DS	2371 8 2 3B20B12E96B2315AEEE9F42AADD27A9A19D085F70505836BE70ABD86 9B0EA504
fs0.net.		86400	IN	RRSIG	DS 8 2 86400 20220423184130 20220416173130 45728 net. Mwb4D0sBco6nEQpEW9vIQIPqD/Fs5tG+Yp/gCNKFyZem0Ssk9uAUK1rU Gh/D/rqaHSOyTfcMvZxdNHqK9ineh4GAS76Y3M4GIFt6YnIarE8byV+3 /wDL2yQcea9zUWJ83fq43rNP1Kds6K2crEHOTKWXbvzWRt4nQP1mUIVC PLs5jTuNzytFa05PIJoQKM1mak3+aO+2KcqQyaXw5j8pDw==
net.			172800	IN	NS	a.gtld-servers.net.
net.			172800	IN	NS	f.gtld-servers.net.
net.			172800	IN	NS	i.gtld-servers.net.
net.			172800	IN	NS	c.gtld-servers.net.
net.			172800	IN	NS	j.gtld-servers.net.
net.			172800	IN	NS	g.gtld-servers.net.
net.			172800	IN	NS	h.gtld-servers.net.
net.			172800	IN	NS	k.gtld-servers.net.
net.			172800	IN	NS	m.gtld-servers.net.
net.			172800	IN	NS	b.gtld-servers.net.
net.			172800	IN	NS	l.gtld-servers.net.
net.			172800	IN	NS	d.gtld-servers.net.
net.			172800	IN	NS	e.gtld-servers.net.
net.			172800	IN	RRSIG	NS 8 1 172800 20220423055733 20220416044733 45728 net. Xeo4T07+Gi6XreqI3Nhy3F9o8JazLgNIbit3YSxk+5H9VFU512znp9ld hCCCXIrMAplA4iJh7Mj1PScnNUf/ZWzHGucpwFRNaVOlfRAoZoWLA+O6 IDhB0796/59tCGnmwmUZroVtsC5Zu/9uARIKw/nR4s/8nVXdE1N4JCtb cXDzaabQyH6TjSQNbPfx4KnZnDWU4diqzxEXXCG/VNhxRQ==
;; Received 1267 bytes from 192.43.172.30#53(i.gtld-servers.net) in 84 ms

tl;dr I wrote this before it got locked but adding DNSSEC and DS records is done by your registrar, which isn’t Cloudflare in this scenario, you still need to add DNSKEY records at your nameservers which is Cloudflare.

2 Likes

DNSSEC was active, just not on Cloudflare and that was the actual issue. You fixed it and that’s why it now resolves.

5 Likes