DNSSEC and .my domains

belldandy · September 12, 2019, 2:38pm

Hello,

As we all knows, to enable DNSSEC for a domain, the steps below are performed.

Click the ‘Enable DNNSEC’ button.
Cloudflare wants me to upload the DS record to my registrar.
Then after a few moments after Step 2 was performed, DNSSEC is enabled for the domain.

But for MyNIC .my domains, to enable DNSSEC, the steps below are performed.

Enable DNSSEC for a .my domain by agreeing to a Term of Service and ticking the ‘Enable’ checkbox.
Then, go to the registrar’s control panel and retrieve the DS record from the domain’s nameserver.
Then, manually choose the retrieved DS record and then publish them myself.
Wait for a while, for DNSSEC is enabled for the domain. This seems to happen hourly.

In other words, Cloudflare and MyNIC workflows are not compatible with each other at all. Cloudflare will not enable DNSSEC until after the DS record has been uploaded to the registrar, and MyNIC will not enable DNSSEC until their system can retrieve from Cloudflare’s nameservers.

Is there anything that can be done to enable DNSSEC for .my domains hosted by Cloudflare? Thanks.

mnordhoff · September 12, 2019, 3:23pm

By nature, a domain should be serving all the DNSSEC-related DNS records before the DS record set is created at the TLD.

With Cloudflare, you should wait 24 hours before setting the DS record, to be sure that all unsigned records have expired from resolvers’ caches. (Cloudflare’s maximum TTL is 24 hours.)

If you set the DS record too soon, your domain may fail to resolve.

It doesn’t sound like the workflows are incompatible.

belldandy · September 13, 2019, 4:23am

If that’s the case, why is that the MyNIC registry failed to retrieve the DS key from the nameservers then? Did Cloudflare already put the keys there when the DNSSEC setup started?

mnordhoff · September 13, 2019, 10:12am

I don’t know.

What’s your domain?

Does MYNIC’s documentation explain exactly how “retrieve key from name server” works? I assume they send one or more DNSKEY queries, but…

belldandy · September 13, 2019, 11:29am

I am not really sure. All the registrar system says when I enabled DNSSEC at the control panel is:-

Please retrieve the Delegation Signer Record at DNSSEC Update Key Module (Domain Name > DNSSEC > Update Key).
IMPORTANT NOTE: Please ensure that your zone has been signed before you update the keys.

belldandy · September 13, 2019, 11:46am

Ok, I have fixed the problem. Originally, my domain has lily.ns.cloudflare.com and seth.ns.cloudflare.com as primary and secondary nameservers respectively. Then I swapped those two around, and the problem fixed itself.

system · October 13, 2019, 11:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNSSEC for domains registered with Cloudflare DNS & Network	5	2006	July 1, 2020
DNSSec updating for few hours DNS & Network dash-getting-started	6	2991	October 24, 2018
DNSSEC cannot work DNS & Network	5	1784	January 28, 2022
DNSSEC needs fixing on cloudflare registrar DNS & Network dns	7	3409	February 7, 2019
Stuck Pending While Setting Up DNSSEC On Cloudflare Registrar Registrar dns , dash-getting-started	33	10008	June 18, 2021

DNSSEC and .my domains

Related topics