DNSSEC is pending while we wait for the DS to be added to your registrar

v2ss · January 9, 2021, 3:19pm

Here is the status.

My domain wert.ws was bought at internetbs.net at 2021-01-03.

About DNSSEC, they told me:

Staff:
You are using CloudFlare nameservers for your domain name, and you should be adding the DNSSEC records with them

Me:
Are you sure? I believe “No DS records found for wert.ws in the ws zone” means registrar has to do something.

Staff:
As the NS and Zone record for the domain name is being provided by CloudFlare, you will have to add it with them.
Also, the DNSSEC records you have added with us updated fine.

Looks like they have done their part.
Am I wrong? How can I “adding the DNSSEC records with CloudFlare”?

sdayman · January 9, 2021, 5:44pm

It sounds like you went through the steps. As long as you added the correct DNSSEC info at your registrar, it shouldn’t say Pending for more than a day.

You may want to double-check the DNSSEC data in the Cloudflare Dashboard and make sure it matches what you added at your registrar.

v2ss · January 10, 2021, 3:04am

Yes I have checked many times, every string matched except TTL.
CloudFlare shows me 3600, but after I added it to the setting page provided by Internetbs, it changes to 86400.

I have also waited for a few days already.

How can I know if Internetbs really done their jobs except their statement?

v2ss · January 10, 2021, 3:09am

Yes, I have also enabled DNSSEC for another domain by same steps with another registrar.
It only took a few minutes.

Can’t figure out why it becomes a totally different story at Internetbs.

v2ss · January 10, 2021, 5:06am

This is what happening.
After page reloading, TTL was changed from 3600 to 86400.

Does TTL matter for DNSSEC?

sdayman · January 10, 2021, 2:43pm

DNSSEC is a special DNS record, so TTL does matter. Instead of caching/verifying any changes every 1 hour, it will be 24 hours. Not a big deal if DNSSEC is correctly set, but if you want to disable or change it, you’ll need to plan a day in advance. Usually disable it in preparation for a name server change.

v2ss · January 12, 2021, 3:32am

I got reply from “Level 2 Support Team” of InternetBS.

Dear xxxx,

Sorry but currently we do not support DNSSEC for .ws domain names under us and hence you see the error.

Best regards,

I have requested support for 3+ times for DNSSEC, they just keep telling me different stories, after many days has passed then I got this result.

sdayman · January 12, 2021, 3:59am

That must be some deep dark secret there, because .ws supports DNSSEC.