DNSSEC is pending, possibly enabled at previous registrar

I transferred my domain from googledomains to Cloudflare, which is now the new registrar. On the Cloudflare DNS settings, I’ve clicked the “Enable DNSSEC” button and it still says “DNSSEC is pending while we automatically add the DS record on your domain.”. Several days have passed in this state.

When I use dig on my domain I get SERVFAIL and “no SEP matching the DS found for mydomain”. I also used dnsviz to check my domain and it shows several errors. The top graph shows DNSKEY with Algorithm 8 and at the bottom in red it shows DNSKEY with Algorithm 13, which I understand is what Cloudflare uses. Based on a related topic, this could be an indication that DNSSEC was enabled before, but I am not sure how to verify or fix that, since I can no longer access that domain on my google account. I didn’t know that turning off DNSSEC before transfer was required!

What steps should I follow to fix this? All help is much appreciated.

I just had this happen.

Submit a ticket to registrar support explaining the issue. https://support.cloudflare.com/ My ticket was sent a bot response for including a term that it identified as being a premium support issue. You can reply to that response for a human to review it. Once a human responded to me, the issue was fixed the next day.

Thank you, that was very helpful! I just created at ticket, will wait for a response.

1 Like

Now that I think about it, I have a vague recollection that I did disable DNSSEC before the transfer. If this is a step advised in the transfer process, then I almost certainly followed it, I just totally forgot about it. The thing is though, I’d have proceeded immediately with the transfer, as I did not really understand why that was needed.

My advice to anyone about to do a domain transfer is to check first that DNSSEC is actually disabled, simply toggling the box at the registrar is not enough. Run dig and check with dnsviz to make sure that it’s actually gone, and wait if necessary. It’s far better than having to wait for the issue to be fixed afterwards.

Thanks to the great team at Cloudflare this has been fixed. Just an extra note that the Algorithm 8 mentioned in the initial post is absolutely normal and I still see it on dnviz now that it’s all looking good. My understanding is that it is associated with the root TLD “.com” and is not in itself evidence that there were stale records, even though this seems to have been the case here.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.