DNSSEC taking longer than 24 hours

Currently my domain is not receiving mail due to a misconfigured DNSSEC.

I recently moved from Google Domains to Cloudflare as both registrar and nameserver. It’s all on Cloudflare now.

I’ve disabled and re-enabled DNSSEC on my domain: piedallu.com more than 25 hours ago now and see no change - It’s perpetually pending “In next 24 hours.”. (I’ve confirmed the time I made the change on the Cloudflare audit logs at 2022-03-27T10:38:20-04:00)

(I’ve used https://dnsviz.net/d/piedallu.com/dnssec/ to validate that it is still broken past the 24 hour period.)

Please help!

Regards

Please wait another 23 or 24 hours, as DNS propagation can take up to 48 hours!

Thanks,

I read someplace that the 24 hours that Cloudflare specified included the DNS propagation.

Also, on Cloudflare’s own analysis page it shows that DNSSEC is not active, which should not be dependent on DNS propagation (since they are the registrar and primary DNS for my zone).

I wish there was more transparency in that status and current progress on the DS record being added etc. As it is I’m blind and there may be something else wrong… in the meantime I’ll start losing mail soon.

Did you have DNSSEC enabled before the transfer and, if so, did you disable it before transferring?

I read about this in the forums, unfortunately I cannot recall having this before on Google Domains. I certainly did not enable it myself at least… it may have been an automated setting on Google Hosted Workspace domain/accounts.

How can I check whether this is the issue? And if so, how do I fix it?

I doubt it would be enabled by default. Can you disable DNSSEC on Cloudflare and leave it that way? Hopefully that will reset the records and you’ll be able to enable it again once it’s sorted. If after a few hours of it being disabled it’s still broken you may need the Registrar team to manually fix this for you via a support ticket.

We asked the team to remove the DS records for you. It should start resolving soon.

3 Likes

Thank you!

Yes, I can see it starting to work again… I was going crazy on this side trying to figure it out… there was nothing I could do to fix it.

I wish there was a way I could have fixed this myself, but I don’t know enough about it.

Update,

I asked Cloudflare to remove the DS record in my registrar/DNS settings.
It’s something I cannot configure or control. I have already disabled any and all DNSSEC settings on my domain to no avail.

Soon after they removed the record all my trouble went away.

I really wish they would give us more control and information on these records… it’s a headache trying to shield us from this. (Just giving us info is enough… giving us control and edit authorization would just be dangerous!)

1 Like

Sorry for the hijack; kinda out of options.

I’ve been having a similar issue. Sadly I’m unable to get any support (Discourse Level 1, Cant Ticket/Email) despite the domain registered with Cloudflare.

Originally registered the domain with name.com had issues where several DNS wouldn’t resolve the domain; transferred it to CF registrar and now am stuck in a broken state.

Currently have a ton of “bogus” for DNSSEC despite it not being on. Kind about of ideas here. Haven’t been able to get any support except the Cloudflare discord (Which have been amazing).

You are welcome. I am afraid, this cannot be done on your end. However, we are making some changes with DNSSEC and these troubles should all go away soon.

Sorry for the inconvenience caused here.

Thanks,
Purnima

1 Like

Hi there,

Do you have a ticket number with us?

Sadly I do not. It only allows me to create a ticket for “Registrar” however none of the options are related to DNS or DNSSEC (Or any technical problem for that matter).

https://dnsviz.net/d/leakguard.net/dnssec/

This looks like a similar issue to mine. Your DNS cert trace seems familiar.

Hope you resolve yours too!

1 Like

If you emailed in, then you would have gotten a ticket number even though the case was auto-closed. If you provide that ticket number, then it can be escalated.

I’m currently an authorized user of the Cloudflare account so I don’t have access to the owner’s email. Would it matter so long as I have administrative privileges?

That I am not sure about. I think as long as you admin permissions for the zone then you are good, but I don’t work for Cloudflare. I would email in for you and if told lack of permissions have the owner email in.

Do you happen to know if it automatically will generate a ticket number? I sent an email and didn’t receive an automated response. Not sure if they are first manually reviewed. Also, I couldn’t find an official email listed anywhere however a community champion in the Cloudflare discord told me to email [email protected]

If you are a Cloudflare account holder, please submit a new support request from the email address you used to register your Cloudflare account. You should open a ticket directly through the Cloudflare dashboard following these steps: 1. Log in to your Cloudflare account and click on “Support” in the top right corner, which will take you to the Help Center. 2. Click on your name in the top right corner, and in the drop down menu select “My Requests”. 3. Scroll to the bottom of the “My Requests” page and click “Submit new request”.

from the email address on your account. It might not be auto closed but when you get a response it will have a ticket number.

I never received an email back with a ticket number however I made a ticket with “Cloudflare Registrar” department.

Ticket ID: 2412004

It’s sad that a technical issue on Cloudflare can’t be sorted out as we’re on the free plan and couldn’t make a technical ticket despite paying for the domain with Cloudflare.