Edge certificates stuck on pending validation because of DNSSEC

Hi , I’ve added my domain to cloudflare around 15 hours ago and edge certificates is still stuck on pending.
I tried the help center and the answer I got was to test my website with https://letsdebug.net/ and when I do that I get these errors

DNSLookupFailed
A fatal issue occurred during the DNS lookup process for domain.com/CAA.
DNS response for domain.com had fatal DNSSEC issues: validation failure <novaboosting.com. CAA IN>: no keys have a DS with algorithm ECDSAP256SHA256 from ip.ip.ip.ip for key domain.com. while building chain of trust. Additionally, Cloudflare's 1.1.1.1 resolver reported: no SEP matching the DS found for domain.com.

and

TXTRecordError
An error occurred while attempting to lookup the TXT record on _acme-challenge.domain.com . Any resolver errors that the Let's Encrypt CA encounters on this record will cause certificate issuance to fail.

DNS response for _acme-challenge.domain.com had fatal DNSSEC issues: validation failure <_acme-challenge.novaboosting.com. TXT IN>: no keys have a DS with algorithm ECDSAP256SHA256 from ip.ip.ip.ip for key domain.com. while building chain of trust. Additionally, Cloudflare's 1.1.1.1 resolver reported: no SEP matching the DS found for domain.com.

I changed the domain name and ips to be safe

In my domain registrar there is no option to enable DNSSEC and I can’t even do advanced DNS records because I don’t use default nameservers it says

any idea what the problem is and how can I solve this?

What is the domain?

novaboosting.com

Yes, DNSSEC is enabled so you are going to have to contact the registrar to ask how to turn it off or add the DS records.

It won’t be in the DNS section because you are not using their DNS, there should be a dedicated area to do this.

If it can’t be done, you’ll have to transfer the domain to someone who does allow it.

https://cf.sjr.org.uk/tools/check?eee8fcdff6af4295a2df477d852e74a3

I turned it on in cloudflare panel today , could it be because of that? disabled it after tho but someone told me it takes 48 hours to be disabled again if you clicked on enable in cloudflare panel

We were using cloudflare + ssl (another dev did it) on previous server but we had to change server 4 days ago and this time when we did it , it didn’t work for some reason. probably because we enabled the DNSSEC in cloudflare and then disbaled it

the registerar is so limited and we asked their support and they said it’s not enable

DS records have quite a long TTL, so if you turned it off at Cloudflare it will take some time to fall out again.

It is enabled…

Domain Name: NOVABOOSTING.COM
Registry Domain ID: 2542771077_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.launchpad.com
Registrar URL: http://www.launchpad.com
...
...
Name Server: KYREE.NS.CLOUDFLARE.COM
Name Server: NENA.NS.CLOUDFLARE.COM
DNSSEC: signedDelegation
DNSSEC DS Data: 32776 13 4 CB68950149E76C2CCDE92EB129D3CED1721B9ADABE02F0BEFD6B04CDD67A6C219B3E3C15674F8425239EC458612D44C8
DNSSEC DS Data: 32776 13 2 A53BDA570BFE10DF5BF8CEE39ED616D63745D070B52805841F1EB764803DE9DB
DNSSEC DS Data: 32776 13 1 1125CE19BE5CE56635D37C9E14D00E88E504827C

and it has to be disabled in order to my SSL certification get validation right? so basicly the only thing I can do is just to wait for this to be disabled and then use cloudflare for SSL?

this might be a dumb question but is it possible for me to use cloudflare only for anti-ddos and other features and use other ssls like certbot etc for now until this changes and I can use cloudflare?

Your domain in Cloudflare won’t be active (records will not be proxied) so no Cloudflare features can be applied. DNS will not resolve anyway for anyone using DNSSEC until it is fixed.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.