DNS resolution failing from some parts of world, SSL cert won't validate

namik.mesic · May 30, 2022, 12:57pm

Greetings,

EU proxy sites and some local clients show domain as not resolved after 3-5 days of switching to a different Cloudflare account. SSL cert. is not validated after a week and https isn’t active. WHOIS domain check yields:
ANDY.NS.CLOUDFLARE.COM (has 23,957,637 domains)
ULLA.NS.CLOUDFLARE.COM (has 23,957,637 domains)

We are not sure how to proceed / what the issue is. Records have been imported from a previously set up Cloudflare account. Current records are very straight-forward (CNAME and A records pointing to two servers, one for email and another for web hosting).

The domain in question is malakregency.com if you want to troubleshoot!

Thanks a lot,

Namik

KianNH · May 30, 2022, 1:04pm

Your domain has bad DNSSEC so it won’t resolve.

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for malakregency.com.)

https://dnsviz.net/d/malakregency.com/dnssec/

Have you enabled DNSSEC in the Cloudflare dashboard? If not, your registrar still has DNSSEC setup on their end - and since it isn’t on both ends, it will not work.

namik.mesic · May 30, 2022, 1:26pm

Thanks a lot for your response @KianNH.
The person maintaining the domain registrar claims no DNSSEC records are set up for the domain. I am not an expert on this topic, is it certain that is the issue? Should we escalate the thread to our domain provider?

michael · May 30, 2022, 2:14pm

% dig CDS malakregency.com @andy.ns.cloudflare.com.
malakregency.com.	3600	IN	CDS	0 0 0 00
% dig ds malakregency.com @a.gtld-servers.net
malakregency.com.	86400	IN	DS	2371 13 2 5EBE927E5354F5828BFD418FA1FB8B8E340CE0BBE74ACF35117C379D 0851FAEC

Have the person who manages your Registrar account delete the DS records for your zone.

jwds1978 · May 30, 2022, 3:42pm

Seems to be resolving now:

$ resolvectl query malakregency.com
malakregency.com: 172.67.160.117               -- link: eth0
                  104.21.42.91                 -- link: eth0
                  2606:4700:3037::ac43:a075    -- link: eth0
                  2606:4700:3030::6815:2a5b    -- link: eth0

-- Information acquired via protocol DNS in 1.0ms.
-- Data is authenticated: yes

$ dig malakregency.com +short
172.67.160.117
104.21.42.91

namik.mesic · May 31, 2022, 8:11am

Thank you for all responses. The domain was always resolving from some locations, but not others, since last Thursday. Unfortunately I don’t have precise info on registrar status yet. I’ll reach out later!

system · June 15, 2022, 8:12am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.