DNSSEC setup cannot be canceled

I have enabled DNSSEC yesterday, but then realized I still needed to move all DNS records to Cloudflare. So I hit the “Cancel Setup” button and started migrating records. Today I want to get started with DNSSEC and it’s still telling me that “DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour.”

So I hit “Cancel Setup” again, only to see an error message at the bottom: “DNSSEC is already disabled (Code: 1004)”. Looks like I’m in limbo here. I still want to use DNSSEC, that was the whole reason for me to migrate to Cloudflare in the first place.

What to do?

1 Like

I kind of ignore that. If you don’t have DNSSEC set at your registrar, the DNSSEC at this end does nothing.

1 Like

DNSSEC is already set at the registrar (name.com). When analyzing DNSSEC using https://dnssec-analyzer.verisignlabs.com I get an error on the domain: “No DS records found for yourdomain.com in the com zone”. Who is responsible for that record? Cloudflare or my registrar?

That would be your registar. They’re your domain’s link to the .com zone.

1 Like

I have the same issue. We need to create the DNSSEC in Cloudflare first, to then go back to the registrar with the required data - which we can’t.

I even deleted the domain from Cloudflare and re-added it, however unfortunately it’s still giving me the same issue.

I managed to fix this issue using the Cloudflare API.

The problem was that DNSSEC was disabled for the domain, but the Cloudflare interface didn’t register this as an action to show the “Enable DNSSEC” button. I used the API to make a PATCH call to the dnssec endpoint of my domain with a body of {"status": "active"}. This gave me the DS options for my registrar via the API call and in the Cloudflare interface.


I managed to fix this by sending a DELETE request, sending status active via PATCH did not work for me.
In firefox you can do this easily by opening the inspector, click on “Cancel Setup”, let it error out and then right click on the PATCH request to edit it. Then change PATCH to DELETE, remove the body and send.


1 Like

It’s great that you found workarounds via the API, but there shouldn’t be a need for workarounds in the first place. :slight_smile: The UI should be managing all DNSSEC-related functionality under the hood, and not be buggy and slow. There have been several threads on the community about this issue, so the CF devs should investigate and patch it.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.