Cloudflare not following denic German law (.de) DNSSEC

The dnssec for DE not capable of completing DENIC test by “transip” domainhost. The domain names for “marmolini” are .com, .de, .fr, .nl, .es. etc The dnssec key, that does work for all other domains, doesn’t work for .de. “Transip” says the following:

"Contact cloudflare and tell them they do not meet the requirements DENIC asks. (the german law requires some additional needs for dnssec to work there.

see: NAST - DENIC eG

After cloudflare has fixed this, ask us again and we can point the nameservers to CF via dnssec.

Please open a ticket and post the # here: support AT cloudflare DOT com

I did that but no response :frowning:

2202539

Thank you, I see your ticket with Support and have ensured it is open in a colleague’s queue to review.

3 Likes

@alexander16

I just quickly wanted to state, that I never had an issue with DNSSEC at any of my German (.de) domains.

Just follow this simple steps and it should work:

  1. remove existing DNSSEC if exists
  2. change NS to Cloudflare
  3. setup DNSSEC again (which is getting offered at Cloudflare Dashboard in DNS section)
  4. Cloudflare shows you DS settings.
  5. tell the domain registrar what DS entry Cloudflare provided to you
  6. they implement it
  7. Cloudflare will detect it as soon as it is implemented (takes about 1-2 hours) and activate it automatically.

I host my German domains at IONOS, Hetzner, NetCup, Domain offensive and never ever had problems setting up DNSSEC. I do not have any experience with TransIP but as it works just perfectly fine I would assume the problem is with them.

Also, I have never heard of a German law that threads DNSSEC different or that complicates the DNSSEC setup. Are they able to share what law this is, I as a German would be very curious.

Here the proof that it works for my domain (hotmann.de)
Settings (at DeNIC NAST tool)

Result:

And another external tools which are made to test DNSSEC setup:
https://dnssec-analyzer.verisignlabs.com/hotmann.de (press enter in input field)

2 Likes

Hi Martin,

Same here. Never had issues with openprovider, which is my main domainregister. This transip environment is the environment of my client and their IT guy reported this back to me.

I have send an email to transip themselves now. I will update once I know more.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.