DNSSEC Error : "No DNSKEY matches DS RRs of lunariaweb.com"

What is the name of the domain?

lunariaweb.com

What is the error message?

https://dns.google/resolve?name=lunariaweb.com&type=A

What is the issue you’re encountering

Failure of DNS resolution after 72 H

What steps have you taken to resolve the issue?

Checked DNSSEC record at origin server. Registrar advises that DNSSEC record exists, chasing for the actual record.

What feature, service or problem is this related to?

DNSSEC

What are the steps to reproduce the issue?

https://dns.google/resolve?name=lunariaweb.com&type=A

The DNSSEC configuration on your domain registrar, Mesh Digital, is incorrect:

Cloudflare does not sign DNSSEC data with algorithm 8 (RSASHA256), which is the algorithm that has been configured in the DNSSEC Delegation Signer (DS) record, through your registrar.

It also looks like Cloudflare is awaiting your removal of the DS record, in order to disable DNSSEC.

So you will need to decide whether or not you want DNSSEC enabled, and if you do, you will need to enable DNSSEC in Cloudflare, and then correct the configuration through your registrar.

Thank you, I guessed that was the case. I thought about enabling DNSSEC at Cloudflare but I couldn’t access my DNSSEC record at the registrar - I have the record on my origin server though.
Is there a way (or a tool) for me to query the record at my registrar and set the Cloudflare record up to match?

That would be mandatory, in order to be able to fix this.

Once DNSSEC is enabled within Cloudflare, you can see the actual DNSSEC material (e.g. the fields you need for setting up the DS record through your registrar) within the Cloudflare Dashboard.

If you cannot add, modify or delete DNSSEC material through your domain registrar’s control panel, you would need to open a support ticket with them, to coordinate the material (or otherwise to request further information about how you can do that yourself).

Not sure if I’m understanding the point of this?

The DNSSEC material will only be relevant between the domain registry (and most often, coordinated to them through the domain registrar you’ve registered the domain with), and then the organisation that operates the name servers you’re using.

It won’t do anything anywhere else.

2 Likes

The point about the record on the origin server was that I could refer back to it, as a snapshot of how the DNSSEC looked prior to nameserver migration.
In the end, I have asked my registrar to delete the record at the registry which they say they have done.
I have no idea how long it will take for the DNS to sort itself out though. 24 hours in and I’m still getting an error from Google’s public DNS query.

It still hasn’t been deleted, and still exist in the parent registry.

48-96 hours, starting from the time when it has been deleted properly.

1 Like