DNSSEC, CloudFlare, and Network Solutions

This is…interesting. Domain Registrar is Network Solutions; DNS is on Cloudflare. Followed directions–started DNSSEC setup, got information for the DS record from the Cloudflare DNSSEC setup and provided to Network Solutions.

It appears they think they’re done–but won’t talk for 24-48 hours. Meanwhile, the records are showing up but are not working properly:

goodnewspartners.org | DNSViz

So we’re stuck in “pending” on Cloudflare, while it looks like things won’t get better…

Who didn’t set them however.

$ dig +short @a0.org.afilias-nst.info goodnewspartners.org DS
37259 13 1 E4CC8084C10B946A536CD79AE0018FC3188EF1E7
37259 13 2 A2C0649F5AA20191BE55C8FBA9CCCF700492CC2452DE4550B6A64E3A D87D0841
37259 13 4 E3121E9BEB7B0952E37F12EC11CF7B50B978D8C12FBC2C573597A2F4 15AB3A9ACCA8EF1D227E746B2B0B4C1BB9D17C2F

I am afraid you need to get back to your registrar and tell them to fix the DS record.

Well, I’ve spoken with them–pointed them to:
https://dnsviz.net/d/goodnewspartners.org/dnssec/

They seem to have fixed the KeyTag, but now we’re still showing a problem. Not certain what they’ve done wrong–the only two additional items I provided were the Digest, and the Public Key. Hmph.

They seem to have added Cloudflare’s entry but there are still two previous entries. They really need to fix that properly.

NSI is still bobbling this. They claimed to see that they’d failed to use the Digest I sent them, and supposedly put that in yesterday morning. They’re again claiming the “24-48 hours” from the RFC, but we all know that for well-connected nameservers such changes almost always show up in less than an hour, two at most. As of today, 12 hours later, no change.

One thing that’s really complicating matters is that I can’t get any input from Cloudflare, and can’t see whatever Cloudflare has put in place in DNS except from external queries, since it’s still “pending”.

I’ve suggested to the client that they should go for paid support so we can get E-Mail support directly from Cloudflare. However, I will admit I’m not happy at considering getting this for this issue. DNSSEC should be a “pull the trigger, see the bang”; instead, it’s turned into a black hole on Cloudflare’s end, and a trip down the rabbit hole with NSI.

All the Cloudflare records are shown on the DNS screen.

But this really is not a Cloudflare issue and you need to discuss this with your registrar. Either you disable DNSSEC or you set the correct records.