DNSSEC not getting updated after cloudflare has become registrar

arnbak · February 11, 2022, 7:56am

DNSSEC not getting updated.
I have transferred my domain to Cloudflare, both nameservers and as registrar.
The main problem is that I forgot to disable DNSSEC at my previous registrar before I set the transfer in motion, so they were not able to update the DNSSEC configuration while the domain was being transferred.

The domain is now transferred and Cloudflare is the registrar, and I would have expected the configuration to be updated automatically as the DNSSEC configuration states at the Cloudflare configuration.

However 24hours have now passed, and the configuration is not updated. So the domain is still not functioning completely as it should. What can I do to get the configuration updated?

Best regards
Lars

Neeraj_1 · February 11, 2022, 9:31am

Can you send the domain so we will check what’s the issue and confirm with you .

arnbak · February 11, 2022, 9:37am

its arnbak.com - the domain DS record is the one from the old setup. So I recon it needs to be updated.

Neeraj_1 · February 11, 2022, 9:41am

Is it showing Cloudflare is protecting your site . ?

arnbak · February 11, 2022, 9:47am

All dns records is at Cloudflare yes.
But the DS record is the one from the old dns provider. Not the correct one.

;; ANSWER SECTION:
arnbak.com.		82380	IN	DS	23942 8 2 0813EDA741D2B24ADD805BD9E1460E8BABCC614935BC82EE477D6C75 4875E9E1

Would have expected it to be

arnbak.com. 3600 IN DS 2371 13 2 B132DF976CE702A692A3B864BDAA980F91A13BAABF9BC2A89A434D9DF2179555

Which is the new one, generated by Cloudflare. But not yet applied at the registrar.

Its also reported as bogus by the dnsviz tool:

https://dnsviz.net/d/arnbak.com/dnssec/

Neeraj_1 · February 11, 2022, 9:49am

Your Records are correctly done . But Can you send a Screenshot from Cloudflare showing your site is protected by Cloudflare ?

arnbak · February 11, 2022, 9:56am

I’m not sure I follow here? Protected by Cloudflare?
I’m only using the dns configuration tools from Cloudflare. Cloudflare has Authoritative dns for the domain, and they are registrar as well. The configuration needs to be updated from the registrar.
What specifically in the configuration tool is it you want a screenshot from? Only thing I have setup is DNS configs.

Neeraj_1 · February 11, 2022, 9:59am

I’m Not Sure about this issue Please wait while any other community member help you

& is this the Nameservers you Added ?
melany.ns.cloudflare.com.
plato.ns.cloudflare.com.

arnbak · February 11, 2022, 10:01am

Yes its using Cloudflare nameservers.

~ » dig arnbak.com NS                                                                                                                                                [email protected]

; <<>> DiG 9.10.6 <<>> arnbak.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9818
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;arnbak.com.			IN	NS

;; ANSWER SECTION:
arnbak.com.		86400	IN	NS	plato.ns.cloudflare.com.
arnbak.com.		86400	IN	NS	melany.ns.cloudflare.com.

;; ADDITIONAL SECTION:
melany.ns.cloudflare.com. 258	IN	A	162.159.38.138
melany.ns.cloudflare.com. 258	IN	A	172.64.34.138
melany.ns.cloudflare.com. 258	IN	A	108.162.194.138
melany.ns.cloudflare.com. 486	IN	AAAA	2803:f800:50::6ca2:c28a
melany.ns.cloudflare.com. 486	IN	AAAA	2a06:98c1:50::ac40:228a
melany.ns.cloudflare.com. 486	IN	AAAA	2606:4700:50::a29f:268a
plato.ns.cloudflare.com. 425	IN	A	173.245.59.223
plato.ns.cloudflare.com. 425	IN	A	108.162.193.223
plato.ns.cloudflare.com. 425	IN	A	172.64.33.223
plato.ns.cloudflare.com. 886	IN	AAAA	2606:4700:58::adf5:3bdf
plato.ns.cloudflare.com. 886	IN	AAAA	2803:f800:50::6ca2:c1df
plato.ns.cloudflare.com. 886	IN	AAAA	2a06:98c1:50::ac40:21df

;; Query time: 14 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Feb 11 10:59:58 CET 2022
;; MSG SIZE  rcvd: 358

Neeraj_1 · February 11, 2022, 11:26am

Do you have a Premium Plan ?

arnbak · February 11, 2022, 11:34am

I have not, unfortunately. According to their ticket response, this is the way to do it.

Neeraj_1 · February 11, 2022, 11:40am

Ok someone here can esclate your ticket

Please await for Response .

fritex · February 11, 2022, 2:01pm

Greetings,

I am sorry to hear you are experiencing an issue.

Sometimes it needs 48 or 72 hours for DNSSEC to clear.

Is DNSSEC option disabled at Cloudflare dashboard? Please disable it.

~~Kindly, may I ask you to share your ticket number here so we could escalate this for you. Thank you in advance.~~

Okay, I’ve found it:

Escalated.

TKlein · February 14, 2022, 10:29am

Hi there,

I can see that there is no DS record present any more:

% dig DS arnbak.com +short
(empty answer)

So therefore, I think that this issue is resolved already. Can you confirm this @arnbak?

arnbak · February 14, 2022, 11:41am

Thanks for the reply. Yes I switched off DNSSEC completely from the configuration interface, as suggest in this thread. And the record got deleted some hours later, and the domain started working again.
So thats nice!

I obviously want to enable DNSSEC again, however I’m wondering if the DS record will get applied. It suprised me a little bit, that it didn’t override the old one, after the move to Cloudflare as registrar and I switch it on.

system · February 17, 2022, 11:41am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

jochen · February 23, 2022, 9:33am

You can enable DNSSEC again via these instructions:
https://developers.cloudflare.com/dns/additional-options/dnssec