DNSKEY record found but no DS record found

I have disabled DNSSEC in Cloudflare and my domain registrar has already deleted DS record; however, Bitsight has shown “DNSKEY record found but no DS record found”.

My question is, whether it is domain registrar or Cloudflare can help to delete the DNSKey?

Cloudflare’s end doesn’t matter much if you’ve deleted the DS record. I believe the DNSKey you’re asking about is the one at Cloudflare’s end, and that’s controlled by Cloudflare. Still shouldn’t matter as long as the registrar has disabled DNSSEC for the domain.

I use the following tools to track down records:
https://dnsviz.net/
https://dnssec-debugger.verisignlabs.com/

1 Like

Hi sdayman,

Thanks for your note, however, what I have received from Bitsight still urge us to remove the respective DNSKEY record in order not to receive a “BAD” ratings because of DS record not found.

I’m currently using free plan so would you mind to guide me how I can get the CF support on this case?

Thank you once again.

Regards,
Matthew

Ticket: 2338566 @MoreHelp

Anyone can assist on this please? :roll_eyes:

Hi Everyone,

With the help of CF support, I finally manage to delete the DNSKEY record manually by myself as suggested. I guess it may be good to share the steps in this community so you won’t get stuck like me as a free plan user.

Step 1. You will be required to use curl command to connect to Cloudflare API
Step 2.
curl -X DELETE “https://api.cloudflare.com/client/v4/zones/123456abc789def/dnssec”
-H “X-Auth-Email: [email protected]
-H “X-Auth-Key: aaabbbcccdddeeefff
-H “Content-Type: application/json”

Notes:
Zone ID - Under Overview section of the respective domain - Under API on the right;
X-Auth-Email - Replace this with your CF’s registered email address
X-Auth-Key - Under My Profile - API Tokens - View “Global API Key”

Hope this help, thank you. :innocent:

Reference:
https://api.cloudflare.com/#dnssec-delete-dnssec-records

2 Likes