Disabling DNSSEC

My domain is unable to connect with my server if i proxy it through Cloudflare, it works fine if i do not proxy the domain. I suspect DNSSEC but i cannot disable it? It has now been 24 hours and it still says:

“Your DNSSEC setup will be disabled as soon as we detect that the DS record has been removed from your registrar.”

But Cloudflare is my registrar? How do i get my domain working again?

Considering that Cloudflare is your registrar the best course of action is to contact support.

Did you test your DNSSEC setup before you disabled it in Cloudflare?

The two tools usually used for testing are:

Why do you think it is DNSSEC related?

I would test the hostname that you have an issue with, as well as the hostname of the origin (the value you have configured in the DNS dashboard). I would expect that Cloudflare would fail to resolve an origin when the target of a CNAME which is :orange: has broken DNSSEC.

I’m guessing that Cloudflare will continue to serve signed responses for your domain until they confirm the parent zone has removed the DS records, and enough time has passed for the DS records in the parent zone to have expired (I think this is usually twice the TTL). If they did not do this there is a chance that users would think the zone is signed (due to cached DS records) but the authorative nameservers are no longer signing the responses.

The reason i think it is DNSSEC is that it is a brand new domain never used for anything, it has 1 A record which points to the correct server, if i disable proxying through Cloudflare it connect perfectly to the server, if i enable proxying it fails to connect. I did however enable DNSSEC when the domain was registered at another registrar and then moved it to Cloudflare afterwards, maybe something went wrong?

I did not know they had one? The only thing i have ever been able to find is online HelpDesk and community support :S


What’s the domain?

Do you get any error message?
Do you have working HTTPS when you go :grey:?
What is your SSL Mode in Cloudflare?

DNSSEC needs to be disabled before initiating a transfer (as per the documentation):

Before transferring a domain to or from Cloudflare:

  • Disable DNSSEC by removing the DS record at your current DNS host and then turn off DNSSEC within the Cloudflare DNS app

As support executive once told me u can use this

curl -X DELETE "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/dnssec" \
     -H "X-Auth-Email: [email protected]" \
     -H "X-Auth-Key: c2547eb745079dac9320b638f5e225cf483cc5cfdda41" \
     -H "Content-Type: application/json"


DNSSEC does not appear to be enabled for that domain in the first place.

DNSSEC: unsigned

What does the dashboard say?

No i have not setup SSL yet and have disabled it in Cloudflare for the moment, i need to get the domain working with proxying before setting up SSL.

DNSSEC needs to be disabled before initiating a transfer (as per the documentation):

Well that is a little too late now, i was using Cloudflare for DNS before but the domain was registrered elsewhere, i moved the domain to Cloudflare afterwards.

You have a 523 error, which is not DNSSEC related. DNSSEC does not seem to be the issue at this point.

1 Like

Really?! Ok good to rule that out, but i have seriously no clue what the problem is then, it only happens when proxied through Cloudflare.

Which problem exactly? Can you post a screenshot of the error you seem to be getting?

DNSSEC does not seem to be the issue here but rather aforementioned error, which is an issue with your server.

Your issue is unlikely to be DNSSEC.

Start with the basics:

If your Origin IP is 46.X.X.54, you have a few problems.

  1. Let’s Encrypt certificate has expired

    Server certificate:
    subject: CN=*.baunegaard.net
    start date: Dec 6 16:51:00 2019 GMT
    expire date: Mar 5 16:51:00 2020 GMT
    issuer: C=US; O=Let’s Encrypt; CN=Let’s Encrypt Authority X3

  2. Origin is returning 404

% curl --resolve baunegaard.net:443:46.X.X.54 https://baunegaard.net -k --dump-header -
HTTP/2 404

I’d start by getting a working Origin server on :grey: then move on from there.

If you continue to get 523, try this community tip

Thats the thing! The origin server is working with :grey: as soon as i enable Cloudflare it stops working with the HTTP 523 error. I have SSL disabled on the server and Cloudflare until i can get it working.

Would you feel comfortable sharing your server IP address here?

But if it is a 523 on your side too, it is not a DNSSEC issue. Cloudflare is not able to reach your server, you possibly have a firewall on your server which prevents Cloudflare from connecting.

Your address ends in 104, right? In that case the whole machine is down. It does not respond to HTTP and not even pings.

Yes. I just disabled Cloudflare again and now it is working again, you can resolve the ip from the domain now.

That is the issue, it does not work. You might have a firewall entry which only allows connections from your own address.