The DNSSEC configuration on your domain registrar, Mesh Digital, is incorrect:
Cloudflare does not sign DNSSEC data with algorithm 8 (RSASHA256), which is the algorithm that has been configured in the DNSSEC Delegation Signer (DS) record, through your registrar.
It also looks like Cloudflare is awaiting your removal of the DS record, in order to disable DNSSEC.
So you will need to decide whether or not you want DNSSEC enabled, and if you do, you will need to enable DNSSEC in Cloudflare, and then correct the configuration through your registrar.
Thank you, I guessed that was the case. I thought about enabling DNSSEC at Cloudflare but I couldn’t access my DNSSEC record at the registrar - I have the record on my origin server though.
Is there a way (or a tool) for me to query the record at my registrar and set the Cloudflare record up to match?
That would be mandatory, in order to be able to fix this.
Once DNSSEC is enabled within Cloudflare, you can see the actual DNSSEC material (e.g. the fields you need for setting up the DS record through your registrar) within the Cloudflare Dashboard.
If you cannot add, modify or delete DNSSEC material through your domain registrar’s control panel, you would need to open a support ticket with them, to coordinate the material (or otherwise to request further information about how you can do that yourself).
Not sure if I’m understanding the point of this?
The DNSSEC material will only be relevant between the domain registry (and most often, coordinated to them through the domain registrar you’ve registered the domain with), and then the organisation that operates the name servers you’re using.
The point about the record on the origin server was that I could refer back to it, as a snapshot of how the DNSSEC looked prior to nameserver migration.
In the end, I have asked my registrar to delete the record at the registry which they say they have done.
I have no idea how long it will take for the DNS to sort itself out though. 24 hours in and I’m still getting an error from Google’s public DNS query.
I have been round the houses with my registrar on this for weeks. They are insisting that they have removed the DNSSEC records and DNSSEC is disabled at cloudflare, but if I run the report: https://dnssec-analyzer.verisignlabs.com/lunariaweb.com
I get
Found 2 DNSKEY records for lunariaweb.com
If they aren’t at Cloudflare, does that mean they must exist further up the chain, and possibly further up than the registrar’s record?
The Nameservers are pointing to cloudflare
Found 1 DS records for lunariaweb.com in the com zone
None of the 2 DNSKEY records could be validated by any of the 1 DS records
The DNSKEY RRset was not signed by any trusted keys
#1 means that DNSSEC is active, as there is a DS record in the parent registry.
#2 and #3 refer to the fact the DNSSEC (on Cloudflare’s side) does not match, because you have an incorrect DS record in the parent registry, according to the DNSSEC material from Cloudflare.
This one does not have anything to do with the parent registry though, but are the “child keys”, at Cloudflare’s end.
You are looking to get the DS record in the parent registry fixed.
They do exist further up, yes.
The registrar will be the only party that is able coordinate the add/update/delete operations on the DS record, which they will be passing on to the parent registry.
If you registrar is unable to do the operations on their own, they are the ones that would need to escalate the issue to the registry.
After three weeks, my registrar finally solved the issue. Here’s the last post from the ticket:
The record should be deleted now, we have added it and removed it once again which seems to have worked despite the record not being displayed in the first place.
The moral of the story is that “persistence pays”. The world of DNSSEC is not plain sailing, even for registrars.