DNSSEC and .my domains

Hello,

As we all knows, to enable DNSSEC for a domain, the steps below are performed.

  1. Click the ‘Enable DNNSEC’ button.
  2. CloudFlare wants me to upload the DS record to my registrar.
  3. Then after a few moments after Step 2 was performed, DNSSEC is enabled for the domain.

But for MyNIC .my domains, to enable DNSSEC, the steps below are performed.

  1. Enable DNSSEC for a .my domain by agreeing to a Term of Service and ticking the ‘Enable’ checkbox.
  2. Then, go to the registrar’s control panel and retrieve the DS record from the domain’s nameserver.
  3. Then, manually choose the retrieved DS record and then publish them myself.
  4. Wait for a while, for DNSSEC is enabled for the domain. This seems to happen hourly.

In other words, Cloudflare and MyNIC workflows are not compatible with each other at all. Cloudflare will not enable DNSSEC until after the DS record has been uploaded to the registrar, and MyNIC will not enable DNSSEC until their system can retrieve from Cloudflare’s nameservers.

Is there anything that can be done to enable DNSSEC for .my domains hosted by Cloudflare? Thanks.

By nature, a domain should be serving all the DNSSEC-related DNS records before the DS record set is created at the TLD.

With Cloudflare, you should wait 24 hours before setting the DS record, to be sure that all unsigned records have expired from resolvers’ caches. (Cloudflare’s maximum TTL is 24 hours.)

If you set the DS record too soon, your domain may fail to resolve.

It doesn’t sound like the workflows are incompatible.

If that’s the case, why is that the MyNIC registry failed to retrieve the DS key from the nameservers then? Did Cloudflare already put the keys there when the DNSSEC setup started?

I don’t know.

What’s your domain?

Does MYNIC’s documentation explain exactly how “retrieve key from name server” works? I assume they send one or more DNSKEY queries, but…

I am not really sure. All the registrar system says when I enabled DNSSEC at the control panel is:-

Please retrieve the Delegation Signer Record at DNSSEC Update Key Module (Domain Name > DNSSEC > Update Key).
IMPORTANT NOTE: Please ensure that your zone has been signed before you update the keys.

Ok, I have fixed the problem. Originally, my domain has lily.ns.cloudflare.com and seth.ns.cloudflare.com as primary and secondary nameservers respectively. Then I swapped those two around, and the problem fixed itself.

1 Like