I probably did some stupid mistake but I just setup two of my domains at godaddy.com to use the CloudFlare’s DNS.

aquilini.ch is working perfectly, while silverback-messaging.net disappeared from all DNS.

This is my DNS configuration, nothing special actually:

image1305×862 62 KB

Not even 1.1.1.1 is resolving the domain anymore.

nslookup silverback-messaging.net 1.1.1.1
Server:  one.one.one.one
Address:  1.1.1.1

*** one.one.one.one can't find silverback-messaging.net: Server failed

Any idea what could have gone wrong? I really don’t get why a SERVFAIL.

Your domain has a couple of registrar statuses that indicate some issues:
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited

Well, for silverback-messaging.net I do see mixed nameservers:

Screenshot 2021-12-23 at 19-53-13 DNS Checker - DNS Check Propagation Tool574×2125 90.8 KB

Did you add Cloudflare nameservers to your domain name at your domain registrar interface - GoDaddy?

In terms of a domain code status, it might take some time to get back “normal” and for proper nameserver propagation.

Yes, I did add them on GoDaddy and a whois shows the correct status. Do you mean is just a matter of time?

Your domain has a couple of registrar statuses that indicate some issues:
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN

Where do you see them? What do they mean?

OK, very good. Now both domains stopped working. Amazing.
Is there anybody who can help me figure out what’s going on?

Interesting enough a the queries against the authoritative name server are refused, for both domains.

dig @andronicus.ns.cloudflare.com aquilini.ch

; <<>> DiG 9.16.1-Ubuntu <<>> @andronicus.ns.cloudflare.com aquilini.ch
; (6 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14122

Why??

I overlooked your DNSSEC setup. Can you please disable DNSSEC at your domain registrar?

Screen Shot 2021-12-23 at 11.35.43 AM2262×1338 161 KB

I don’t know how to do that. Are you familiar with GoDaddy @sdayman?

Well, let me do a step back. I actually had an issue with the propagation in the ch zone for aquilini.ch and I thought it was due to DNSSEC. This is because I had DNSSEC on the previous registrar, that I then transferred to GoDaddy and I su spect that messed everything up.
After I switched the DNS for that domain to CloudFlare it worked for a moment.
So, genius me, I thought DNSSEC was cool and I went to enrich silverback-messaging.net with DNSSEC. I did it in CloudFlare and copied the DS record data to GoDaddy. I don’t get why it doesn’t match now. …and I also don’t know how to revert to disable it honestly.

Here in cloudflare I still see the “DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour.” under the DNSSEC box.

@sdayman can you explain why the authoritative refuses to reply?

Sorry, no. But I know they have extensive documentation.

Ah yes, I know. But I didn’t enable anything over there (DNSSEC is an extra service I didn’t even pay for). I updated it via CloudFlare, pretty sure. Now I’ve no way in GoDaddy itself to manage it. Could it be? Does that even make sense?

There are two ends to DNSSEC. The registrar sets up the authoritative end. Cloudflare just sets up the DNS end. If you disable the authoritative end, the problem will go away.

You’ll have to ask GoDaddy to clear this up, as they’re in control of your domain. I do understand that it’s a special feature at their end but ultimately, GoDaddy is in charge of it.

Do you mean I’ve to remove the DS record? I thought that was the only thing on the registrar side.

Whatever it takes to get this done:

@sdayman OK, I removed the DS record and aborted the setup here in CloudFlare. dnsviz now just reports the invalid RCODE (REFUSED), which isn’t due to DNSSEC, right?

Keep an eye on WHOIS for “signedDelegation” near the bottom (it’s still there). It should switch to something like Unsigned. As with most registrar changes, it can take up to 48 hours to take effect.

@sdayman by the way dnsviz doesn’t report any error for the other domain aquilini.ch, but I’ve the same SERVFAIL when trying an nslookup against 1.1.1.1 and andronicus.ns.cloudflare.com refuses the query for that domain too. Like if it wasn’t the authoritative name server.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.