DNS Issue with site validating

We have a client that their site won’t validate. When I look at the edge cert it is stuck on validating.

I have no idea what these errors mean and what they need to do to fix it

NSEC proving non-existence of www.site.org/A: The NSEC RR covers the wildcard itself (*.site.org), indicating that it doesn't exist.

This was the explanation I was given
As such, this domain did not pass DNSSEC validation. The signatures for the target record, or the proof of non-existence of the target records, are invalid.

This needs to be further addressed at the authoritative DNS provider for this domain, before we can successfully issue any SSL certificates

Turn off DNSSEC at the registrar and at Cloudflare. Or fix the DNSSEC issue by taking the DS records shown by Cloudflare here…
https://dash.cloudflare.com/?to=/:account/:zone/dns/settings
…and enter them at the registrar.

If that doesn’t work, or records are already correct, you can enter the domain name here and it will locate the problem (although it’s a bit difficult to work out what it means so you might just want to post the domain name here!)

https://dnsviz.net

2 Likes

We don’t have DNSSEC enabled in Cloudflare.

This is what I saw when I put the URL in dnsviz.net which I don’t understand what it means and what I need to have them do

NSEC proving non-existence of www.site.org/A: The NSEC RR covers the wildcard itself (*.site.org), indicating that it doesn't exist.

Check DNSSEC is disabled at the registrar as well as Cloudflare then.

What is the domain name?

This is the URL trying to add

imis.prps.org

DNSSEC is enabled at the registrar for prps.org.

It also looks like you have a mix of proxied and unproxied A records, or something else weird going on both at the domain and at the subdomain.

https://cf.sjr.org.uk/tools/check?4f7db4e95a804a0e9668e9ed66b0cd45
https://cf.sjr.org.uk/tools/check?b7a5796a5c9a4efda7de1a6c106db8ad

Ok so the problem is that the A record has two IP’s?

No, the problem is one is a Cloudflare IP address and one isn’t (it’s a Microsoft one). Not sure how that can come about.

When the lookup picks the Cloudflare one, the site loads. When the lookup picks the other one, it times out.

dig +short prps.org @8.8.8.8
20.42.27.25
104.16.130.63
1 Like

Yeah the 20.42.27.25 IP isn’t valid anymore. I messaged them and told them to remove that 20.42.27.25 A record since it shouldn’t be there anyway.

They removed that other A record and it still won’t issue a edge cert and validate the custom hostname. Still has to be something on their side since we have added other sites to CF during the time that this has been having issues.

There’s still a DNSSEC issue.

https://dnsviz.net/d/imis.prps.org/dnssec/

dig imis.prps.org @8.8.8.8

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> imis.prps.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53171
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 12 (NSEC Missing): (Invalid denial of existence of imis.prps.org/a)
;; QUESTION SECTION:
;imis.prps.org.			IN	A

;; Query time: 152 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Dec 07 17:36:06 UTC 2023
;; MSG SIZE  rcvd: 94
1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.