DNSSEC issues

So I had DNSSEC enabled a while back however disabled it, not until recently was I made aware that anyone using quad9 can not use my domain because the dnssec records are stuck, I have confirmed with my registrar that there side there are no records and I was advised that I would need them removed by cloudflare.

Also to note they are not even enabled on my domain

Domain?

hyehost.co.uk

Your domain still has secure delegation from the parent zone.

hyehost.co.uk | DNSViz

2 Likes

I would be lying if I said I understand that completely, I did notice that it has not been updated for 10 days so I have now updated it

1 Like

Can you share a screenshot from your Cloudflare dashboard where you see DNSSEC disabled? I ask this because I see an RRSIG record returned when I query your domain using dig with the +dnssec flag. If DNSSEC is disabled in your Cloudflare account, that record should not exist.

Thank you for doing that. We can see that you now have an insecure delegation, which means that RRSIG record should be ignored by validating resolvers. You shouldn’t still have any difficulty with Quad 9.

1 Like

Of course I can here you go https://i.imgur.com/Iha85lD.png

I’ve noticed this before. One of my domains also returns RRSIG records, even though I am 100% certain that DNSSEC is disabled. I switched it on and off multiple times, RRSIGs are still served.
I haven’t thought too much about it as there’s not really a downside to it.

1 Like

I don’t have any of my own zones that have DNSSEC disabled to use for comparison. Your reported observation matches my expectations. Once the records for secure delegation are no longer present in the parent zone (and any downstream cache), the continued presence of RRSIG records in the child’s zone will have no effect.

2 Likes

I have reached out to my domain register again to make sure there is nothing there side but as far as it all stands there should be nothing I can do but I will give it a few days, I made the thread because I am told that sometimes this needs to be done manually by cloudflare however I am not sure of the validity of this but it causes me issues as anyone using quad9 with dnssec can not see any of my domains records and thus not everyone can email me

The DNSViz results confirm there is nothing they need to do.

By whom?

What needs to be done manually by Cloudflare?

This should no longer be the case.

If the issue persists, you may want to have the affected parties troubleshoot their DNS resolver configurations.

1 Like

I appreciate all the replies to this issue and fingers crossed it is sorted with time.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.