Instructed by GoDaddy (registrar) to ask Cloudflare to add a DS record for DNSSEC

What is the name of the domain?

qin.moe

What is the error message?

DNSSEC is pending while we wait for the DS to be added to your registrar.

What is the issue you’re encountering

Getting told to ask Cloudflare to add the record.

What steps have you taken to resolve the issue?

I contacted Godaddy

Agent:
Hi there, Thanks for contacting us. How may I help you with the ds records?

Me:
Hello,
I am trying to add a Delegation of Signing (DS) record for qin.moe.
When using the following settings…
Key Tag: 2371
Algorithm: 13
Digest Type: 2
Digest: 2A15B64E78D582433F9CF0128D8C8ECD0ABD45C0F6B745B636D59967B1911EC0
I am getting the following error: Unable to submit DS record. If this continues, please contact our support team

Agent: Can you please provide me the domain name?

Me: qin.moe

Agent: Your nameservers are with cloudsfare so you need to contact them to add the records.

Me: Cloudflare says: Keep this record added at your registrar for DNSSEC to work.

Agent: The records can be added only by the one who have the nameservers.

Me: Okay, how do I tell the TLD provider the DS information? Because .moe needs to know the delegation signer for this to work
Agent: You just need to contact the cloudsfare they will manualy add the ds information to the dns. Have you contacted the cloudsfare?

Me: It’s already setup on the Cloudflare side according to DNSSEC Debugger - qin.moe
It’s missing from the moe zone, which is normally handled by the registrar notifying the TLD operator.

Agent: This is what i can see, we do not have the access to check your dns as it is only done by the nameservers provider

What feature, service or problem is this related to?

DNSSEC

Oh my, I highly recommend to transfer the domain to another registrar, as they obviously have no idea about their very own core-business. A DS entry always needs to be configured by the registrar and not by the DNS provider. The latter only provides the values.

I appreciate your reply @sandro, I would have transferred my domain to Cloudflare if moe were supported as that would have been the path of least resistance.

I ended up quoting you multiple times to GoDaddy support. When going through the support system, it forces you to go through an AI chat bot first, and even the AI agreed with us both on this matter.

However, I am still going in circles with GoDaddy support. I want to prefix this that I do not blame the support agents at all here, I think GoDaddy is not giving the appropriate training, tools, support teams and if this ends up being read by someone at GoDaddy, I hope that they look to fix their support rather than just firing support staff who clearly were just trying their best. I have removed fluff, names as I do not want to see these agents fired.

The story so far…

Agent: Hi there, How may I help you with Domains?

Me:
I am trying to add a Delegation of Signing (DS) record for qin.moe.
When using the following settings…
Key Tag: 2371
Algorithm: 13
Digest Type: 2
Digest: 2A15B64E78D582433F9CF0128D8C8ECD0ABD45C0F6B745B636D59967B1911EC0
I am getting the following error: Unable to submit DS record. If this continues, please contact our support team
I have previously reached out for help on this issue and I was advised by GoDaddy support to reach out to Cloudflare to add the DS record there. I had advised them that the relevant DS record was missing from the moe zone, however the agent insisted that issue was that it is only done by the configured nameserver hosting and that I needed contact them for support.
I contacted Cloudflare and this was the response:
Oh my, I highly recommend to transfer the domain to another registrar, as they obviously have no idea about their very own core-business. A DS entry always needs to be configured by the registrar and not by the DNS provider. The latter only provides the values.
I should further note when describing this issue to the AI assistant, it told me:
I’m sorry to hear you’re encountering difficulties with adding a DS record for your domain. It seems there’s been some confusion regarding the process. You’re correct that the Delegation of Signing (DS) record is indeed something that needs to be configured at the registrar level, which in this case, would be us at GoDaddy.
Please advise.

Agent: Okay let me check on it can you please help me with the below details,

Agent: May I know the domain name which you are looking to add the record.

Me: No problem, the domain is: qin.moe

Agent: As we have reviewed your account from our end we can see that the Domain nameservers are with the 3rd party service provider. The complete control of the Domain DNS is with them, they will only have the access to make changes in the Domain DNS, we suggest you to please contact them and update the records. We would be the happiest person to assist you with your concern, but we are really very sorry we don’t have an access to make any changes.
Can you please let me know where you have connected the domain nameservers.

Me: These particular DS record changes are handled by the top level domain provider. Normally you would have an automated system when I fill out the DS record setting that would nudge their systems to add a record in their moe zone data - this is what is currently broken for me.
If you examine the output on DNSSEC Debugger - qin.moe you will see that the child DS records are definitely already added on the nameserver, but the ones that are missing are from the moe zone, which the registrar would notify the TLD operator to add in normal circumstances.
This works the same way as how the registrar tells the TLD operator which name servers to point a domain to.

Agent: Sorry your nameservers have been updated to the hassan.ns.cloudflare.com
kenia.ns.cloudflare.com
They will have access to update the domain DNS records.
Can you please let me know what they have said once you have contacted the Cloudflare?

Me: No problem, this is what Cloudflare said when I asked them following the instruction of the previous GoDaddy support agent:
Oh my, I highly recommend to transfer the domain to another registrar, as they obviously have no idea about their very own core-business. A DS entry always needs to be configured by the registrar and not by the DNS provider. The latter only provides the values.

Agent: Okay I got it there is the records right you have want to update right.
Key Tag: 2371
Algorithm: 13
Digest Type: 2
Digest: 2A15B64E78D582433F9CF0128D8C8ECD0ABD45C0F6B745B636D59967B1911EC0

Me: Yes, that’s correct

Agent: I have added the record and checked with my team the nameservers are with a third-party which is the reason you are getting that error please change the nameservers to GoDaddy then we can add the record.

Me: But if I do that, that will break the chain of trust in DNSSEC, won’t it?

Agent: I am sorry we need to change the to add the DNS record or do you need to update it from the Cloudflare
I request you please once again contact Cloudflare and ask them to update they will have access or share the screenshot of the DNS page of your domain from Cloudflare.

Me: Here is a screenshot.

20240625104608w7pxO890×1144 23.9 KB

Agent: I have checked with my back-end team on your issue to update the record you need to change the nameservers and I have checked with the screenshot you are screenshot too that needs to be checked with the current DNS provider if you change the nameservers can to add the ds record from our end.

Me: Would I be able to change the nameservers back after the DS record is added?

Agent: Yes, you can add once you have changed the nameservers again back to the Cloudflare the ds record will be disconnected.
Please contact the current DNS provider they will check and they will help you on adding it or let me know I will help you in changing the nameservers to GoDaddy.

Me: But that doesn’t make sense, because the DS record required is announced by the moe zone, not the domain’s name server? Much like how the moe zone announces which name servers to use. I don’t even understand why there would be a manual input for DS records on the root domain level if the nameservers have to be set to GoDaddy’s, because that would just let users enter invalid DS records for GoDaddy’s own DNSSEC nameserver configuration and serve no purpose?

Agent: I am sorry but the nameservers are with a third party we can’t dd the DS record from my end if the nameservers are with GoDaddy I will update the record from my end.

Me: But you understand if I switch the name servers, and you set that DS record it will break resolution even with GoDaddy’s nameservers?

Agent: Please get the DNS records that need to be updated in the domain DNS page I will update those all records in the GoDaddy including the DNS record.

You don’t necessarily need to transfer to Cloudflare, the registrar service actually has room for improvement. I’d simply transfer it go anywhere but your current registrar

Whether training or not, the support agent should still be qualified enough not to make such wrong statements. I am afraid, you will have to convince them somehow. Only the registrar can save the relevant entry with the registry. Cloudflare as DNS provider is not involved here.

https://porkbun.com/tld/moe is about half the price of your current registrar.

At this point I am somewhat using this thread to document what’s happening for reference for myself and others who have a similar issue.

I had a phone call with GoDaddy trying to sort this out, which you’re welcome to listen to here:

I removed information identifying the agents involved, because again, I don’t think they deserve direct blame. I felt the phone support agent was excellent and he did his best to support me. He pushed the issue to the “GoDaddy Advanced Technical Support” to resolve the issue.

While typing this response I then got a message from the ticket that was raised:

Dear Valued Customer,

Thank you for contacting Support. I am a member of our Advanced Technical Support team and would like to thank you for your patience while we investigated this matter. I understand there was an issue with the functionality of your DS records for qin.moe. It appears that the DS records you are trying to add are third party and checking those would be beyond our scope of support. Please check with your records provider for further help.

Again, thank you for your patience. Please feel free to contact us 24/7 should you need any further assistance.

Regards,

GoDaddy Advanced Technical Support

Sadly it seems the issue goes up to their higher tier of technical support which really makes me feel there is no recourse but to transfer domain as per @sandro 's really helpful advice.

To me it’s very clearly not an issue with the staff, but really the processes and training GoDaddy has.

1/2 State of affairs I had with GoDaddy:

image485×535 17.5 KB

(I need to create multiple posts as it won’t let me have multiple embeds per post)

2/2 State of affairs I had with GoDaddy:

image1329×756 14.1 KB

(I need to create multiple posts as it won’t let me have multiple embeds per post)

I am afraid the forum really is the wrong place for this at this point. Cloudflare simply is not involved here and that’s something only the registrar can fix.

So I ended up transferring the domain to porkbun, while retaining Cloudflarte as the name servers:

$ dig ns qin.moe

;; QUESTION SECTION:
;qin.moe.                       IN      NS

;; ANSWER SECTION:
qin.moe.                0       IN      NS      kenia.ns.cloudflare.com.
qin.moe.                0       IN      NS      hassan.ns.cloudflare.com.

Then configured the same DS records which functioned resulting in:

image491×616 20 KB

The advice provided by GoDaddy that name server change was required is wrong for the DS record, and the update provided:

It appears that the DS records you are trying to add are third party and checking those would be beyond our scope of support. Please check with your records provider for further help.

Was entirely irrelevant to the issue.

Yep, good decision to transfer. A registrar ought to know that and they simply sent you on a wild goose chase.

Thanks again for the help @sandro and sorry for ‘spam’, just wanted to post updates to have a clear documented timeline of events with actions taken so that both users who run into this can see what’s happening and perhaps for GoDaddy to take feedback on if they were to look at this.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.