DNSSEC with Cloudflare as Registrar - Stuck at "Pending"

One of my domains has Cloudflare as its Registrar. I enabled DNSSEC a few days ago and it still has been in the Pending state. I thought at first that I’d have to manually add DS records to my DNS zone, but there were no instructions for Cloudflare Registrar. Tried following the guide for GoDaddy, but doing so spits out an error message by Cloudflare:

When giving “@” for Name: “DNS Validation Error (Code: 1004) DS records must not appear at a zone apex.”

When giving “_ds” for Name: DNS Validation Error (Code: 1004) DS record must have a corresponding NS record at _ds.domain.com."

What Name should we provide? Setting up DNSSEC in Cloudflare – Cloudflare Help Center

I later found that Cloudflare apparentkly does this automatically for you as per this thread: Stuck Pending While Setting Up DNSSEC On Cloudflare Registrar - #32 by shimi

It’s been days and it’s still “DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour.”

Tried this with my primary domain as well with the same results.

If Cloudflare is your Registrar, it should do it on its own, as you said. GoDaddy shouldn’t have anything to do with this, nor DS records.

I suggest you email support AT cloudflare DOT com and say that you can’t enable DNSSEC with Cloudflare Registrar. If you get an autoreply, reply again and let them know is still doesn’t work.

Thanks, @sdayman . I’ll send a message over to CF tech support. Clarification on GoDaddy: I meant to say that I looked over GoDaddy’s (and a couple other Registrars’) documentation to see how I could adapt the steps over to the CF DNS configuration myself – and in doing so, CF spat out those two errors.

1 Like

Per automated Cloudflare Support message: “If you don’t receive a reply within 72-hours of asking the Community, let us know by replying to your own Community post and mention @MoreHelp to bring your post to our attention.”

Update: Support replied to my ticket and asked me to follow DNSSEC with Cloudflare as Registrar - Stuck at "Pending" - #3 by myuen, pointing out that the domain is hosted on GoDaddy. Although that is true, DNS is actually handled by Cloudflare. I have not received a response since that information was shared 5 days ago.

Support kept telling me to set up DS Records at GoDaddy and pointed me to the Cloudflare article that shows the steps for that host. I also re-iterated that DNS was not hosted by GoDaddy and that Cloudflare is handling it.

I logged in to the GoDaddy site to check if there was anything I could set up there. When you go to your domain > Manage DNS, the message displayed: “We can’t display your DNS information because your nameservers aren’t managed by us.”

I scrolled all the way down to “Advanced Features” and found “DNSSEC”. Clicked on it. There was an option to add “DS Records” there. Filled out the info and submitted the change to GoDaddy.

From everything I have read, DNSSEC DS Records are fields added to DNS. So, I do not understand why DS Records must be configured on GoDaddy (where the domain is at) when the DNS is handled elsewhere (Cloudflare).

In any case, after a few minutes, DNSSEC became enabled.

Yeah, I missed that point as I kept thinking that DS Records are DNS-related, and that since Cloudflare hosts the DNS, I missed the point that only the domain registrar could set up the DS records

1 Like