Enabling DNSSEC made my domain not resolve. Registrar says issue is on cloudflare end

I’m using namecheap, I’ve enabled DNSSEC, I contacted them and had them add the records to my domain. Cloudflare says Success! domain.app is protected with DNSSEC. but now my domain won’t resolve. Namecheap says the issue is with Cloudflare.

This website says the issue is: None of the 3 DNSKEY records could be validated by any of the 1 DS records and The DNSKEY RRset was not signed by any keys in the chain-of-trust.

Any help?

If you post your domain here, we can help you debug.

If thats not possible, reach out to Cloudflare support. Likely the DS records were entered incorrectly, but in that case Cloudflare should not show that DNSSEC setup was successful.

i opened a ticket but no answer so far… and i really can’t have downtime :confused: i guess i’ll just disable dnssec

i’ve got same problem also with namecheap and a .pink domain. i think the reason is, that .app and .pink only support DNSSEC algorithm 8 and not 13 as requested from Cloudflare…

1 Like

you can check it here http://dnsviz.net/d/domain.app/dnssec/

That is possible. I did remember there was a algorithm 8 when I did some chekcs

I know of at least one .app domain using algorithm 13 with Cloudflare.

I can’t say the same for .pink, but I’d be shocked if they meant not to support it, and surprised if they had a bug that broke it.

Hi @vitor, can you share the ticket number?

Request #1583823

Thank you. The Support team has been in contact with you and I can see there is some issue with name servers. If you click on the DNS tab of Cloudflare and scroll down, you’ll see the name of two nameservers. Give those to your domain registrar and have them update their records.

I think there is a glitch. My dashboard is saying to use different nameservers. lol

Ah, understood. I can dig a bit to see the reason for the difference, but once you get them changed, our systems will see that and you should be on the way. Please let us know how it goes.

so, is my suggestion not the reason?

I changed my nameservers to the domains they provided me, and asked namecheap to add the DS records again, and now it seems to be working.

I think you may having the same glitch I have. The dashboard say to us to use one domain, but somehow they systems expect us to be using another. My domains still resolved and worked fine, but the DNSSEC would mess up.

Try opening a ticket, and if their systems say you are not using Cloudflare name servers, even if you are using what the dashboard says to use, you probably are suffering this.

1 Like

Can you please be a little more specific? Your dashboard said to use (for example in my case) thomas and carol from Cloudflare - and you did. and in this constellation it doesn’t work. so you contacted Cloudflare and they tell you to change the NS?

My dashboard is still saying for me to use:

But I had to change them to the nameservers they gave me to make it work. Impossible to know which one for you…

so, i asked namecheap again to add DNSSEC and it works out of the box. very strange …
so my suggestion is wrong …

In the end they said to me they gave me wrong nameservers and to change back to what my dashboard said again. I didn’t want to do that since everything was working fine, website resolving, DNSSEC okay.

But then I received a email from Cloudflare saying my nameservers weren’t pointing to Cloudflare anymore (?) so I had to change. I changed the nameservers and the dashboard now says the DNSSEC is “pending” for more than 8 hours, and analyzing my DNSSEC says No DS records found for domain.app in the app zone.

So I don’t know. My recommendation is to not bother with DNSSEC as it’s only issues and no benefit. I’ll leave as it is because it’s resolving to my website, and I use google public DNS which validates DNSSEC I believe, so there should be no issues to anyone trying to access my website anyway.

And I’d warn against using Cloudflare as the domain registrar, their support is too slow vs namecheap instant live support 24/7. If the worse happens I can remove Cloudflare from the equation and have my website live again in minutes, but if Cloudflare were my registrar and I had this issue, I could be offline for days unless I pay the very expensive plans…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.