We have an existing domain example.com, now recently we have only onboarded a subdomain to Cloudflare i.e., abc.example.com. We can’t move the main domain to Cloudflare now as there are few sites which are live and will take time but we have onboarded abc.example.com in Cloudflare and want to enable DNSSEC. To achieve DNSSEC, we have updated Cloudflare provided NS record in domain registrar Easyspace. After enabling the DNSSEC in Cloudflare we have received the DS key which was added in Easyspace.
What feature, service or problem is this related to?
If not, for a full setup you need the domain to be set to use the 2 allocated Cloudflare nameservers, whereas you have delegated nameservers for gaweua to Cloudflare. Your domain won’t be active in Cloudflare until the 2 Cloudflare nameservers are set at your registrar for the domain. https://cf.sjr.org.uk/tools/check?b3d56f19d09e48d58874b098f2acdb4a#dns
With an Enterprise plan you can add subdomains as a site to Cloudflare.
NS record has already been added to domain registrar. We were able to access the URL hosted in Cloudflare without any issue.
Once DS record is updated in the registrar after enabling DNSSEC then all the sites went down.
While I understand you want to try Cloudflare on a subdomain first, this isn’t possible without an Enterprise plan. Cloudflare needs to be authoritative for your domain so you need to set the 2 allocated Cloudflare nameservers at your registrar (in place of the namecity.com nameservers) after entering your DNS records into the Cloudflare DNS.
It may have appeared to work (it isn’t resolving at the moment), but your domain will remain pending in Cloudflare until that is done.
Thanks for your response!
So as DNSSEC is not enabled for the main domain then the chain of trust is broken.
Yes, Enterprise plan is used and two NS records are added in the registrar.
Is there any way to achieve DNSSEC for a subdomain only (without onboarding the main domain to Cloudflare)? As I said before, at this moment there are some dependency to move the main domain to Cloudflare.
You then need to enable DNSSEC for the domain itself, talk to your registrar for this. The registrar will apply DS records to the .com zone nameservers above.
Note that when adding the domain itself to Cloudflare later you will need to disable DNSSEC at the registrar or use multi-signer DNSSEC first to avoid downtime as the DS records at the registrar will need to be updated when the nameservers change.
Once the domain is added to Cloudflare, make sure the NS and DS records for gaweua are added to the Cloudflare DNS for the domain as they will be separate DNS zones on Cloudflare (or you can remove the gaweua subdomain setup zone and include the DNS records - without NS and DS - under the domain).
Yes, a complete chain needs to be formed from the . root servers to the hostname so each level confirms the nameservers below are correct.
It is not, but as I said above, you still need to add the DS records given by Cloudflare into the namecity.com DNS if you want to sign gaweua.bfsiplatform.com.