DNSSEC test returns the record to be Bogus

It seems after enabling Cloudflare NS and DNSSEC, and configuring this on my domain, it is recognized but not properly signed (bogus). How to solve this?

Domain: ketoking.nl

A (Verisign) report mentions these issues:

  1. The DNSKEY RReset was not signed by any trusted keys
  2. None of the 2 DNSKEY records could be validated by any of the 1 DS records

The domain is hosted at Hostinger. There, the DNSSEC record has been set up.

Note: I removed DNSSEC now from my website, since this issue renders my website unreachable.

That site is not using Cloudflare nameservers.

1 Like

Yes, I removed it since it renders my site unreachable.

Then I’m afraid I won’t be able to offer any assistance until you add the site to Cloudflare again and I can observe the error and run tests.

Your Registrar is “Registrar.eu”. Unless that is a trading name of Hostinger, Hostinger has nothing to do with your DNSSEC setup.

Changing your nameservers between multiple authorative nameservers is almost guaranteed to cause you DNSSEC issues. And will almost never solve the issue. Removing the DS record at your Registrar is the fastest way to disable DNSSEC.

From the data I can see currently, the DS record you installed with your Registrar was not correct. If you are using Cloudflare nameservers, then you MUST use the DS record from the Cloudflare dashboard.

Thanks, I just switched the NS to the ones provided by Cloudflare.

So, the question still is there. When I add DNSSEC now, my site is unreachable and I get the two mentioned errors. So I won’t allow DNSSEC via Cloudflare now. Anything I need to change?

If you want us to have a look, you’ll need to enable DNSSEC by configuring the DS record provided by Cloudflare with your registrar.

If you don’t want to use DNSSEC, thenyou don’t have to do anything.

Got it, I just enabled DNSSEC on Cloudflare and also configured the DS record at my registrar. It will be probably live soon.

I suspect the OP is changing things quickly, but my best guess is that they are not entering the correct value for the DS record. The DS and CDS records should match.

% dig +short ds ketoking.nl @ns1.dns.nl
54025 13 2 4823D064CEC58B8FE1DDFCAB550A627F336D3E881510595D62CA0A52 6BFDD533

% dig +short cds ketoking.nl @elliott.ns.cloudflare.com
2371 13 2 4EED3F2D55542CDBF105B30295A7E99AC5BB38D19D895E65F5CFAC76 D10FA710
1 Like

@user22807 , can you maybe make a screenshot of the DS record provided to you by Cloudflare and a screenshot of what you entered with your registrar?

Thanks for the quick reply. On Cloudflare, I see this as DS record:
ketoking.nl. 3600 IN DS 2371 13 2 4EED3F2D55542CDBF105B30295A7E99AC5BB38D19D895E65F5CFAC76D10FA710

On my registrar (Hostinger), I added these fields for the DS:

  • Flags: 257
  • Algorithm: 13
  • Protocol: 3
  • Public key: this is actually not the public key (that is not accepted) but the digest. Checked with them, should indeed be the digest.

To fully understand: the first line is what you see the registrar made out of it? What does 54025 mean?

Filled out at Hostinger:

Info in Cloudflare I copied:

Are you maybe in the wrong menu?

According to Hostinger, this is what the menu should look like:

But pasting the Digest into the public key field would definitely not be right.

I am there

What happens when you copy the public key into the public key field? What error do you see?

The digest definitely doesn’t go there.

1 Like

It is not accepted. They name it public key, buy they state the digest must be added there. Below the error (due to the fact there are also ‘=’ signs).

I now removed DNSSEC since my website is not accesible.

Schermafbeelding 2023-11-27 171909

Then I guess you’ll need to contact Hostinger. Maybe the problem is because the key contains a whitespace?

It seems to be a new (and undocumented) system, so Hostinger will have to look into that.

Thanks,will do!

Alright, Hostinger made the record but it seems to be not fully right still. The website is reachable but these errors appear when I test the implementation.

This is where I’m confused if this is with Hostinger (registrar) or Cloudflare:

That is still the wrong DS record that they published.