DNSSEC Error : "No DNSKEY matches DS RRs of lunariaweb.com"

What is the name of the domain?

lunariaweb.com

What is the error message?

https://dns.google/resolve?name=lunariaweb.com&type=A

What is the issue you’re encountering

Failure of DNS resolution after 72 H

What steps have you taken to resolve the issue?

Checked DNSSEC record at origin server. Registrar advises that DNSSEC record exists, chasing for the actual record.

What feature, service or problem is this related to?

DNSSEC

What are the steps to reproduce the issue?

https://dns.google/resolve?name=lunariaweb.com&type=A

The DNSSEC configuration on your domain registrar, Mesh Digital, is incorrect:

Cloudflare does not sign DNSSEC data with algorithm 8 (RSASHA256), which is the algorithm that has been configured in the DNSSEC Delegation Signer (DS) record, through your registrar.

It also looks like Cloudflare is awaiting your removal of the DS record, in order to disable DNSSEC.

So you will need to decide whether or not you want DNSSEC enabled, and if you do, you will need to enable DNSSEC in Cloudflare, and then correct the configuration through your registrar.

Thank you, I guessed that was the case. I thought about enabling DNSSEC at Cloudflare but I couldn’t access my DNSSEC record at the registrar - I have the record on my origin server though.
Is there a way (or a tool) for me to query the record at my registrar and set the Cloudflare record up to match?

That would be mandatory, in order to be able to fix this.

Once DNSSEC is enabled within Cloudflare, you can see the actual DNSSEC material (e.g. the fields you need for setting up the DS record through your registrar) within the Cloudflare Dashboard.

If you cannot add, modify or delete DNSSEC material through your domain registrar’s control panel, you would need to open a support ticket with them, to coordinate the material (or otherwise to request further information about how you can do that yourself).

Not sure if I’m understanding the point of this?

The DNSSEC material will only be relevant between the domain registry (and most often, coordinated to them through the domain registrar you’ve registered the domain with), and then the organisation that operates the name servers you’re using.

It won’t do anything anywhere else.

2 Likes

The point about the record on the origin server was that I could refer back to it, as a snapshot of how the DNSSEC looked prior to nameserver migration.
In the end, I have asked my registrar to delete the record at the registry which they say they have done.
I have no idea how long it will take for the DNS to sort itself out though. 24 hours in and I’m still getting an error from Google’s public DNS query.

It still hasn’t been deleted, and still exist in the parent registry.

48-96 hours, starting from the time when it has been deleted properly.

1 Like

I have been round the houses with my registrar on this for weeks. They are insisting that they have removed the DNSSEC records and DNSSEC is disabled at cloudflare, but if I run the report:
https://dnssec-analyzer.verisignlabs.com/lunariaweb.com
I get
Found 2 DNSKEY records for lunariaweb.com
If they aren’t at Cloudflare, does that mean they must exist further up the chain, and possibly further up than the registrar’s record?
The Nameservers are pointing to cloudflare

  1. Found 1 DS records for lunariaweb.com in the com zone

  2. None of the 2 DNSKEY records could be validated by any of the 1 DS records

  3. The DNSKEY RRset was not signed by any trusted keys

#1 means that DNSSEC is active, as there is a DS record in the parent registry.

#2 and #3 refer to the fact the DNSSEC (on Cloudflare’s side) does not match, because you have an incorrect DS record in the parent registry, according to the DNSSEC material from Cloudflare.

This one does not have anything to do with the parent registry though, but are the “child keys”, at Cloudflare’s end.

You are looking to get the DS record in the parent registry fixed.

They do exist further up, yes.

The registrar will be the only party that is able coordinate the add/update/delete operations on the DS record, which they will be passing on to the parent registry.

If you registrar is unable to do the operations on their own, they are the ones that would need to escalate the issue to the registry.

$ whois lunariaweb.com
   Domain Name: LUNARIAWEB.COM
   Registry Domain ID: 1234896870_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.meshdigital.com
   Registrar URL: http://www.meshdigital.com
   Updated Date: 2024-09-19T15:59:57Z
   Creation Date: 2007-09-23T18:06:30Z
   Registry Expiry Date: 2025-09-23T18:06:30Z
   Registrar: Mesh Digital Limited
   Registrar IANA ID: 1390
   Registrar Abuse Contact Email: [email protected]
   Registrar Abuse Contact Phone: +18779770099
   Domain Status: ok https://icann.org/epp#ok
   Name Server: ARNOLD.NS.CLOUDFLARE.COM
   Name Server: IRIS.NS.CLOUDFLARE.COM
   DNSSEC: signedDelegation
   DNSSEC DS Data: 61669 8 2 409A48FF4754C7D51C6E22CE17363EE84F4C674953E909578974C10739246497
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2024-09-19T16:47:50Z <<<

[…]

Domain Name: lunariaweb.com
Registry Domain ID: 1234896870_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.meshdigital.com
Registrar URL: http://www.domainbox.com
Updated Date: 2024-09-19T15:59:55Z
Creation Date: 2007-09-23T18:06:30Z
Registrar Registration Expiration Date: 2025-09-23T18:06:30Z
Registrar: MESH DIGITAL LIMITED
Registrar IANA ID: 1390
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.8779770099
Domain Status: ok https://icann.org/epp#ok
Registrant Organization: Lunaria Ltd
Registrant State/Province: Lothian
Registrant Country: GB
Registrant Email: https://webform.meshdigital.com
Admin Email: https://webform.meshdigital.com
Tech Email: https://webform.meshdigital.com
Name Server: ARNOLD.NS.CLOUDFLARE.COM
Name Server: IRIS.NS.CLOUDFLARE.COM
DNSSEC: unsigned

It seems like the parent registry and Mesh Digital’s systems are out of sync somehow, as Mesh Digital’s WHOIS server claims “DNSSEC: unsigned”.

But that is not true, as you can see from the first section:

1 Like

Thanks, I’ll post a link to this thread to my registrar. Appreciate all the help and info :+1:

After three weeks, my registrar finally solved the issue. Here’s the last post from the ticket:

The record should be deleted now, we have added it and removed it once again which seems to have worked despite the record not being displayed in the first place.

The moral of the story is that “persistence pays”. The world of DNSSEC is not plain sailing, even for registrars.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.