Error in adding DS Records for domain

Hi All,

ubuntu ~ $ dig DNSKEY my-website-domain.com +short
257 3 13 mdsswUyr3DPW132m29kV9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==

Could someone please help me add the DS record in Cloudflare & verify if I’ve enabled DNSSEC correctly for my domain?

Note: Domain name, other PII data like Cloudflare zone_id, zone_name in the attached images have been redacted for privacy.

Your registrar is not Cloudflare, is it?

Your screenshots are confusing. One suggests you completed the DNSSEC activation and another suggests that you haven’t upstated your registrar.

You don’t normally use the audit log to obtain the material needed at the registrar. It should be visible in the Dashboard.

1 Like

Your screenshots are confusing. One suggests you completed the DNSSEC activation and another suggests that you haven’t upstated your registrar.

No my registrar is not Cloudflare. All the screenshots & the audit log are from the Cloudflare Dashboard itself, none from my registrar at all.

  1. The 1st is on re-enabling DNSSEC (done to understand DNSSEC)
  2. 2nd is the Audit log of the DS record that existed in Cloudflare before this re-enabling (inadvertently deleted it so traced it back via audit log)
  3. 3rd is the error post when I re-add the DS record now

What more could I check to debug this further?

Have you tested your site in DNSViz yet?

https://dnsviz.net/

1 Like

Yes I’ve tested it via DNSViz (as mentioned at the start of this thread) - here is an image

How do I interpret the above output?

You are missing the left hand side of the output, but what you have looks fine. The DS records in your zone are not something that you wild manually create, so there is no need to try to add them back.

Is there a specific performance issue that you are trying to resolve?

I have a privacy suggestion you may wish to employ in the future.

When altering a domain name, it is preferable to use a designated reserved domain like example.com to that of an uninvolved third-party.

2 Likes

When altering a domain name, it is preferable to use a designated reserved domain like example.com to that of an uninvolved third-party.

Noted, that would be helpful to use in future queries.

Also thanks for confirming my output looks fine. I’m not trying to solve a performance issue but just ensure I’ve configured DNSSEC correctly. However the previous answer still leaves me with 2 questions if you could please help me:

  • If I don’t need to manually create the DS records, did Cloudflare add them automatically on my domain when enabling DNSSEC?
  • If the above is true, why does Cloudflare allow adding DS records manually and throw Error Code: 1004 on attempting to do so?

Yes.

They are required to secure signed delegated subdomains.

2 Likes

They are required to secure signed delegated subdomains.

Ok so you mean Cloudflare adds them automatically only for the root domain but provides this to be added for subdomains?

Not just subdomains, delegated subdomains. This means the subdomain has its own DNS outside of Cloudflare. If that DNS uses DNSSEC to sign, its key material needs to be present in that parent zone, not unlike the key material that you added at your registrar.

Any subdomain records that are held in the same Cloudflare account would be signed using the same key material that you added at your registrar.

1 Like

Thanks for the detailed answer around delegated subdomains, that helps

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.