DNSSEC is pending while we wait for the DS to be added to your registrar

v2ss · January 9, 2021, 3:19pm

Here is the status.

My domain wert.ws was bought at internetbs.net at 2021-01-03.

About DNSSEC, they told me:

Staff:
You are using CloudFlare nameservers for your domain name, and you should be adding the DNSSEC records with them

Me:
Are you sure? I believe “No DS records found for wert.ws in the ws zone” means registrar has to do something.

Staff:
As the NS and Zone record for the domain name is being provided by CloudFlare, you will have to add it with them.
Also, the DNSSEC records you have added with us updated fine.

Looks like they have done their part.
Am I wrong? How can I “adding the DNSSEC records with CloudFlare”?

sdayman · January 9, 2021, 5:44pm

It sounds like you went through the steps. As long as you added the correct DNSSEC info at your registrar, it shouldn’t say Pending for more than a day.

You may want to double-check the DNSSEC data in the Cloudflare Dashboard and make sure it matches what you added at your registrar.

v2ss · January 10, 2021, 2:57am

Yes I have checked many times, every string matched except TTL.
CloudFlare shows me 3600, but after I added it to the setting page provided by Internetbs, it changes to 86400.

I have also waited for a few days already.

How can I know if Internetbs really done their jobs except their statement?

v2ss · January 10, 2021, 3:09am

Yes, I have also enabled DNSSEC for another domain by same steps with another registrar.
It only took a few minutes.

Can’t figure out why it becomes a totally different story at Internetbs.

v2ss · January 10, 2021, 4:56am

This is what happening.
After page reloading, TTL was changed from 3600 to 86400.

Does TTL matter for DNSSEC?

sdayman · January 10, 2021, 2:43pm

DNSSEC is a special DNS record, so TTL does matter. Instead of caching/verifying any changes every 1 hour, it will be 24 hours. Not a big deal if DNSSEC is correctly set, but if you want to disable or change it, you’ll need to plan a day in advance. Usually disable it in preparation for a name server change.

v2ss · January 12, 2021, 3:32am

I got reply from “Level 2 Support Team” of InternetBS.

Dear xxxx,

Sorry but currently we do not support DNSSEC for .ws domain names under us and hence you see the error.

Best regards,

I have requested support for 3+ times for DNSSEC, they just keep telling me different stories, after many days has passed then I got this result.

sdayman · January 12, 2021, 3:59am

That must be some deep dark secret there, because .ws supports DNSSEC.

fritex · February 13, 2021, 8:45pm

It reminds me on the similar situation where Namecheap does not support or at least does not provide a way (neither through their interface, neither the person from Chat Support cannot do it) to add a DS record for .eu and some other TLDs (https://www.namecheap.com/support/knowledgebase/article.aspx/9718/2232/nameservers-and-tlds-supportedunsupported-by-dnssec/), while the .eu TLD has DNSSEC supported

I got the similar reply from few domain “reseller” at my country too, but it’s just the case at which one you are purchasing your next domain and which one does know how to add it manually or not at all.

Later on, you transfer your domain to another one, but first ask if they support DNSSEC and if the DS record can be added for your domain.tld

system · June 18, 2021, 9:54pm