Help needed troubleshooting a DNS or DNSSEC issue

What is the name of the domain?

edwardallengems.com

What is the error message?

“Safari can’t find the server”, MS Edge “Your DNS server might be unavailable”, dig +short @edwardallengems.com DS ;; communications error to 172.67.130.106#53: timed out

What is the issue you’re encountering

domain transfered with DNSSEC enabled? - DNS resolution fails worldwide

What steps have you taken to resolve the issue?

Customer’s site is down. Any help or suggestions are much appreciated.

Opened CF Support Ticket ID: 01034539

Regarding the domain edwardallengemscom - Apologies for the com, new users can only post four links.

Before this problem occurred the domain was operating as expected under a Cloudflare account.
In that case the domain connected to the host server through a Cloudflare tunnel.

The domain is owned by a customer who wants to manage their own Cloudflare account,

The short description appears to be the domain was transferred with DNSSEC enabled. But it’s more complex that that.

• Domain edwardallengemscom registed at Namecheap, DNS hosted on “admin AT arkadias DOT net” CF#1 account

• DNSSEC enabled but showing “Cancel Setup” on CF#1

• Clicked “Cancel Setup”

• Transfered domain registry from Namecheap to “Redhedge00 AT gmail DOT com” CF#2 account

• “Added” domain to CF#2 account

• CF#1 account shows domain “moved”

• CF#2 account shows domain “active”

• Website down 24 hrs

• CF#1 account showed “Disable DNSSEC” ← Should have been disabled

• Clicked “Disable DNSSEC”

• DNSSEC shows “Enable DNSSEC” in both CF#1 and CF#2

• DNS propagation has completed - all resolvers fail on dnschecker.org/#A/edwardallengems<dot>com/1.1.1.1

• DNS Check shows expected name servers for CF#2 account “albert.ns.cloudflarecom” and “celine.ns.cloudflarecom” mxtoolboxcom/SuperTool.aspx > DNS Check

• DNSVis reports many errors and bogus entries dnsviz.net/d/edwardallengems<dot>com/dnssec/

• DNSSEC Analyzer reports “No DNSKEY records found” and “No RRSIGs found” dnssec-analyzer.verisignlabs<dot>com/edwardallengems<dot>com

• dig edwardallengemscom +dnssec +short
  104.21.8.93
  172.67.130.106

• dig DNSKEY edwardallengemscom +short returns no data

• dig edwardallengemscom returns
  ; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> edwardallengemscom
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8919
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 65494
  ;; QUESTION SECTION:
  ;edwardallengemscom. IN A

  ;; ANSWER SECTION:
  edwardallengemscom. 300 IN A 172.67.130.106
  edwardallengemscom. 300 IN A 104.21.8.93

Is there anything else I can do to resolve or help resolve this issue? Do I need help from Cloudflare engineers to resolve this issue?

What feature, service or problem is this related to?

DNS not responding/updating

What are the steps to reproduce the issue?

Attempt to access edwardallengems.com

Sorry, missed this was a Cloudflare registered domain.
https://cf.sjr.org.uk/tools/check?004220b9930b4423a05632b7adfc62be#dns

As the domain is registered with Cloudflare you can’t move it between accounts. Most likely you will need to move the domain registration out of Cloudflare so you can change the nameservers to those for the new account and resolve the DNSSEC issue.

You may be able to ask support for help to move the domain (if you can’t access the original account), but the above may be faster.

Thank you, but that not the issue.

DNS hosted on CF with DNSSEC in pending state not configured on Namecheap.

DNSSEC was canceled (I thought) on CF
Domain registry was moved from Namecheap to CF
Later DNSSEC was found to still be in pending state “Cancel Setup” on CF.

I Know many details.

If, as you say, the domain was transferred to account #2 where the nameservers are albert and celine and you have definitely disabled DNSSEC in the Cloudflare dashboard for account #2 but it is not disabling in the DNS, then you’ll need to contact support.

Just double check your allocated nameservers are still albert and celine at the bottom of the DNS page as there is an extra pair resolving for the domain (probably from account #1 where the domain is now at “moved” status).
https://cf.sjr.org.uk/tools/check?03e0fcf659324d499febfe8f72565bac#dns

Thank you for digging in and for the helpful Cloudflare Things tool!

• albert.ns.cloudflare.com
• celine.ns.cloudflare.com

Are the correct name servers for the new Cloudflare account where the domain is currently showing “Active” status.

• adrian.ns.cloudflare.com
• steven.ns.cloudflare.com

Are the name servers for the old account now showing “Moved” status.

Should I delete the domain from the old account?

So I deleted the domain from the old account. Things are better, more DNS resolvers are responding, but there are still many, including 1.1.1.1 that are not.

Seems odd that CF’s own DNS is so slow to update. Or maybe some other problem. ¯_(ツ)_/¯

The DNSSEC is still broken. Waiting won’t fix it.
https://cf.sjr.org.uk/tools/check?8f40c92da9c2410194514dcc2007ba95#dns

If things are as you say, you need to raise a support ticket to get it looked at.

Update 8-15-24 9:40am PDT 16:40 UTC
Updated on CF ticket 01034539

• edwardallengems com domain has been deleted from CF#1 account

• DNSSEC is disabled on the CF#2 account dashboard

• DNSSEC is seen to be enabled but invalid at https://cf.sjr.org.uk/tools/check?ce31173f58264e9fadd8d476a305a51c

• edwardallengems com fails to resolve from multiple locations DNS Propagation Checker - Global DNS Testing Tool

Will “cycle” DNSSEC on/off. Maybe that will clear the invalid DNSSEC.

Cycling DNSSEC at the new CF#2 account corrected all issues.

@sjr Thanks for your help and the great tool!

I thought you’d done that already, good to hear it is fixed.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.