Hi everyone,
I have an app hosted on Heroku which is linked to the ai-ink dot me (Sorry having too much trouble with links). The domain is registered with Squarespace and I use custom nameservers provided by Cloudflare in squarespace.
I copied the DNS targets provided by Heroku into Cloudflare where I have added 2 CNAME records, one for the root and one for www
I also have setup SSL from Cloudflare with full protection and copied the keys to Heroku where it seems to be configured correctly.
Looking at DNS propagation checker, I see the A records which I believe are flattened from the CNAME records. However, while navigating to the site I see the DNS_PROBE_FINISHED_NXDOMAIN error.
The domain name ai-ink.me has been configured with DNSSEC enabled at the domain registrar, which apparently seems to be Tucows Domains Inc.
However, the DNSSEC configuration you have with them, doesn’t add up with the configuration that Cloudflare have.
As such, DNS resolvers that validate DNSSEC will fail to resolve your domain name.
I do not any current have access to Tucows Domains Inc., however, I cannot believe that it would be much different from e.g. the Porkbun “tutorial” I made over here, back in January 2023:
Thanks a lot for the quick answer DarkDeviL.
So currently on Cloudflare I have DNSSEC disabled.
The domain is registered with squarespace although the underlying registrar is Tucows. On squarespace since I use custom nameservers (from Cloudspace) no DNSSEC configuration is present and Tucows doesn’t seem to have any way to configure DNSSEC either so am a bit lost
Thanks epic.network… The help page there mentions this
Only domains with Squarespace Domains LLC as the registrar can add DNSSEC through Squarespace. To identify your domain’s registrar, visit Who’s my domain provider?
In this case, the registrar is actually Tucows, so there is no option to add / remove DNSSEC. I have custom nameservers added through Squarespace to link the Cloudflares server.
Tucows is a wholesale registrar. They sell through other businesses and list the resale partner and their support contract in their whois records. Your shows Squarespace is the resale partner.
whois -h whois.tucows.com ai-ink.me
WHOIS QUERY RATE LIMIT EXCEEDED. PLEASE WAIT AND TRY AGAIN.
This information was obtained from a different whois server, so we cannot verify its authenticity.
Registration Service Provider:
Squarespace
https://support.squarespace.com/hc/en-us/requests/new
I don’t know what the story is with the rate limit notice. It is appearing even fro Tucows on web interface to their whois. The fact that you set your nameservers through Squarespace means that they are your registrar. Your registrar is the only place you can set your nameservers.
You may need to open a support request with Squarespace. As your registrar, not only is it their responsibility to submit your DNSSEC material to the parent zone nameservers, they are the only ones who can.
Thanks @epic.network. I opened a support case with Squarespace and this was their response which isn’t very helpful
Thank you for contacting Sqaurespace. Looking at your domain on whois.com. I can see Sqaurespace isnt the register. So we wouldnt provide DNSSEC. Below I will leave a guide that im sure will help you with this issue.
Push back harder. Show them the whois record that proves that they are the responsible party. Show them recipt for payment to them for the domain registration.
Tucows does not provide end user support, but may be able to lodge a complaint about a non-responsive reseller. That may result in Tucows directing Squarespace to meet their obligation.
You could also try to transfer the domain to a better registrar, although if anything needs be done at your current registrar, that may prove equally challenging to your current effort.
Thanks @epic.network… I just sent them a note again. I am trying to transfer out the domain but I had just recently transferred it from Google Domains to squarespace and Tucows has a 60 day lock in period for the domain.
One question I had was how do I prove that the domain name has been configured with DNSSEC enabled at the domain registrar, which apparently seems to be Tucows Domains Inc. which @DarkDeviL mentioned before. Is there a particular who command which shows this ?
If a proper whois record was being returned you could see it there. It is available in DNS. You can use DNSSEC tools like DNSViz to view the DNS output arranged in nice report.
