DNSSEC stuck at pending for multiple sites

Website, Application, Performance DNS & Network
1

What is the name of the domain?

district36.com.au, sutherlandshirefreemasons.au, sutherlandshirefreemasons.au

What is the error message?

DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour.

What is the issue you’re encountering

DNSSEC records stuck on pending

What steps have you taken to resolve the issue?

Have contacted the hosting provider who has informed me that the records have been applied.

What feature, service or problem is this related to?

DNSSEC

Screenshot of the error

Untitled.png

2

I’m afraid none of the above domains are using the correct DS record yet. You need to update the DS records at your registrar with the values provided by Cloudflare.

3 Likes
3

Unless your hosting provider is your registrar you have not made the change in the correct location.

2 Likes
5

Can you show a screenshot of the DS record that you are supposed to use for district36.com.au from the Cloudflare dashboard?

That is also not working. You can check here, there are still red marks:

1 Like
6

269~3
269~3793×528 75.4 KB

They have stated it must be a Cloudflare issue, Saying it says signedDeligation and it has been applied.
I have tested all of them using dnsviz and they give errors apart from district36.au.

7

“signedDelegation” means DNSSEC has been enabled by your registrar. But is is using the wrong DS records, so it doesn’t work.

1 Like
8

Screenshot 2024-07-13 at 1.43.34 AM
Screenshot 2024-07-13 at 1.43.34 AM448×670 17.5 KB

9

You can see that the DS record in your screenshot starts with 2371.

You can see here that the DS record that your registrar set for your domain starts with 257, and is also completely different otherwise:

dig +trace district36.com.au

...

district36.com.au.      3600    IN      NS      frida.ns.cloudflare.com.
district36.com.au.      3600    IN      NS      carlos.ns.cloudflare.com.
district36.com.au.      3600    IN      DS      257 13 2 F6E12E600931A02E14F7767A2056466091FBA0FD1590B111F0B0346B 28C8D810
district36.com.au.      3600    IN      RRSIG   DS 8 3 3600 20240730151720 20240709141720 12489 com.au. KxkwYWnZsvYexJC+wnpGRQsQRCJBTvbyTfv4phW1vMySCxFTTwEOMNdE YwtVSb20o3dUlJeR8MEUua6mWCYebDSnbiWHLCEVezuHgEbsaQJ1vaWp wfvXZeHlN275JTJEqo1BeXfQ0xsqN1Y1OsVE+JqUhckqv1kNzDIFxuBu 6XY=
;; Received 318 bytes from 65.22.199.1#53(t.au) in 8 ms

Your registrar needs to update the DS record to the correct value for all 3 domains.

Edit: The domain in your screenshot is district36.au, not one of the domains you mentioned in your opening post. But the other DS records will also start with 2371.

That domain is actually set correctly:

district36.au.          3600    IN      NS      lilith.ns.cloudflare.com.
district36.au.          3600    IN      NS      elmo.ns.cloudflare.com.
district36.au.          3600    IN      DS      2371 13 2 4FB2F55D53E2C0BF20D2FB5830004EF90B7E6C10C4FDB278B49F3864 9EA2F9E3
district36.au.          3600    IN      RRSIG   DS 8 2 3600 20240821075409 20240710062409 28089 au. fbXcol1sPLGiVoaNdRzW1MZmnNw+USLi+dVD4wLHd4uolfQba6V3pq0n YBuSdUOUEvqmCqU8AMaJFjsRNIWtb7l2SSjgWcmvZhlIHw7nDg/xRE2s WwPxpfLpkMrrf4cjkOlxJZbaLW4+dBvtqePgwjDZFpMDQs+KomYjVahR zzEz63lHWyQSvWeRw4KGdiYhum/ERtReG7LyAQ2824340tbxHjt8ImJ5 wC6KEdadVPvsXb/TOkEAqqRgwU+i0J+5J6mRpteJp5E4/nXUy7DsVIZa W/BhE79gJzn0YtyChEqT4lHmXzeFXgv6PR4CGLqcHI0HhIqyzkijI7OX VWQhsQ==
;; Received 437 bytes from 65.22.196.1#53(q.au) in 36 ms
4 Likes
12

You don’t need to post all, you can just check for yourself that they all start with 2371.

1 Like
13

Yes, they do…
So clearly my host has input the incorrect information!
Thanks for your help!
Much appreciated!!!

2 Likes
14

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.