Cloudflare's DNSSEC setup is perpetually pending

CF is the registrar for one of my domains. Currently, CF shows that the DNSSEC setup is pending, but it fails to add DS records. I transferred this domain to CF in September and never touched DNSSEC from that point onward. However, I might have enabled DNSSEC before that, given the fact that the domain had used the CF nameservers and registrar before it was transferred to the CF registrar again recently. Is there anything I can do to fix this?

P.S. Edited the original post to make it more concise.

1 Like

I just did some testing, and it looks like the DNSSEC setup has some issues.

On another domain registered at CF, I was able to get it stuck in the same way by enabling DNSSEC, then canceling the setup. Now it says that “DNSSEC is pending while we automatically add the DS record on your domain.”, but it’s neither adding the DS record and completing the setup, nor showing DNSSEC as disabled so it could be enabled again. Attempting to cancel the setup again returns the same “DNSSEC is already disabled (Code: 1004)” error.

I have the same problem! Added my domain, changed the NS servers, but not able to enable/configure dnssec.

After “cancelling” DNSSEC, he gives the error status 1004 that it is already cancelled, but is hanging at enabling.

2 Likes

Since you mentioned changing the nameservers, I assume that you’re not using the CF Registrar for this domain. I have done some testing of this scenario as well, and changing the nameservers to non-CF ones seems to make the CF system change the status of DNSSEC from pending to actually disabled. Then change back to the CF nameservers, and now you should be able to enable DNSSEC. CF will give you the values for the DS record, so go to your registrar, add the DS record as instructed and DNSSEC should start working. At least in my testing this procedure fixed it.

It would be really helpful if CF actually cancelled the setup when you told it to, but at least there is some sort of workaround. In my case, where CF is the actual registrar for the domain, I haven’t been able to find a workaround. CF is supposed to either add the DS record for the domain, or cancel the DNSSEC setup, but it does neither, so it’s stuck and I can’t do anything about it.

There’s another bug in the DNSSEC setup process that I found. CF often shows different statuses of DNSSEC between refreshes. In one instance, it was showing 3 different statuses (disabled, pending setup and pending cancellation) in the span of a few seconds when I was refreshing the page without pressing buttons. If I were CF, I would audit the relevant code in its entirety, fix the bugs and thoroughly test the functionality.

From my experience, I alwas disabled DNSSEC at Cloudflare dashboard and removed the DS record before changing nameservers.

In between, I waited for few hours straight (not exactly 24 hours) and flushed the DS and DNSKEY records by using below tools (maybe that’s the trick):

At the CF dashboard it was shown “Enable DNSSEC” (meaning it was disabled) and using below tools the DS/DNSKEY record was not found at the point:

No issues.

Or that was my case as I was moving a domain from one CF account to another, domain was signed with DNSSEC before.

Nevertheless, recently was moving one domain too, and disabled DNSSEC and waited straight 24 hours just in case and flushed DS/DNSKEY records too, all went as good as it could possibly be.

My understanding is that this sort of perpetual pending state, where CF neither publishes the DS record, nor allows the user to cancel the setup (showing “DNSSEC is already disabled” error) is caused when one cancels the DNSSEC setup before it’s complete. In any other scenario, things should work as expected.

Another thing I find peculiar is the fact that it takes CF up to 24 hours to publish the DS record, whereas other registrars such as Namecheap do it immediately. I find it peculiar, because it’s usually CF that is the fastest and most innovative when it comes to this sort of thing, but in this case their system seems to be much slower than the others.

I have actually found one more bug, but this time it’s a “feature”, because it allowed me to re-enable DNSSEC for a domain stuck in the “perpetual pending” state. As a result, DNSSEC seems to have been successfully set up for one of the two domains I tried that on - the DS record is currently in place for that one domain, although CF is still showing a pending status. In any case, users shouldn’t be expected to count on bugs and workarounds to solve this issue. The DNSSEC setup is definitely not working as intended and it shouldn’t be taking 24 hours even if it did work flawlessly.

There is one additional DNSSEC configuration issue, the “DS Record” Link is missing on some of my domains. Without this I have no way copy/paste the Digest etc to my Domain registrant.

using the incorrect wordings here. What I mean is updating the DNSSEC records on registrant portal. Now, none of my domains have DNSSEC enabled because some has no DS records shown on Cloudflare portal thus no way I could copy over the needed details to domain register

Yes, for whatever reason CF shows the DS record value when you enable DNSSEC, then hides it while the DNSSEC setup is pending, and then shows it again once the setup is complete. I can’t think of a good reason for CF to hide it while the setup is pending. In any case, it wouldn’t be that big of an issue if you could cancel the setup, re-enable DNSSEC and get the DS record that way. This is probably what CF intended users to do when they didn’t grab the DS record when enabling DNSSEC. In my testing, however, canceling the DNSSEC setup gets it into the perpetually pending state again, so that’s no good. A user in another thread devoted to the same issue suggested sending a DELETE request to “https://api.cloudflare.com/client/v4/zones/<zone_identifier>/dnssec” via the API. While this workaround works, the user should be able to do that via the UI.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.