I’m not a Cloudflare customer, but my domain is suddenly not resolvable through 1.1.1.1, causing me a massive outage as CF moves so much DNS traffic. All other major DNS providers see me fine. There’s no phone number to call for support and if you’re not an existing customer, emails to support are summarily rejected. So I created a free account and then emailed support again. It was rejected a little slower, directing me to free community forum support. Apparently, if I wait 72 hours through this outage, then I can escalate it to the More Help tag. This is unbelievably frustrating. Can someone from the CF DNS team please pick this up early? I’m at a total loss of what to do next. nuscalepower.com
Did you recently moved your domain away from Cloudflare Registrar or Cloudflare nameservers?
True, I do not get IP over 1.1.1.1, but using other DNS’s work - tested using online tool here:
May I suggest flushing the DNS for specified record using below tool:
DNSSEC is a bit broken? (looks fine from here, but there are some warnings which might have an impact?):
SSL certificate is ok, valid.
WHOIS domain status is mixed:
clientTransferProhibited, serverDeleteProhibited, serverTransferProhibited, serverUpdateProhibited
@sdayman there was lately a similar topic about serverTransferprohibited status code as I remember?
I get DNS_PROBE_FINISHED_NXDOMAIN. Kindly, may I suggest looking into below article for more information about why this error happens and how to trobleshoot:
Not sure if it’s related to some recent incident which can be checked on a Cloudflare Status page using below link:
1 Like
@mvavrusa is the DNS expert on staff and can probably track down why 1.1.1.1 can’t resolve that domain. It’s after hours right now, and I don’t know anybody else who’s on shift right now who looks after 1.1.1.1
2 Likes
@fritex No, I haven’t been a CF customer for about 6 or 7 years. I moved away from CF when their staff caused a major outage with my CF registrar service and the one (1) guy who could fix it went home for the day. That made me deeply concerned about the support staffing levels, so I moved my business away years ago. I haven’t had my domain on CF for a very long time, so I’m baffled by what’s happening now.
BTW, thanks for the suggestions. I really appreciate your willingness to provide some pointers.
Granted, domain registration status like that would be a cause for concern, but I’m never sure how those affect real world behavior. I’d certainly recommend contacting the registrar to make sure everything is all clear and if they could get rid of the worst of those status messages. Especially these:
https://icann.org/epp#serverUpdateProhibited
https://icann.org/epp#serverTransferProhibited
@sdayman These have been set like these for years as part of a “domain lock” security feature by the registrar, CSC. You can compare nuscale.com (working) and nuscalepower.com (not working) for DNSSEC and WHOIS.
1 Like
Hi! Sorry about the issues. I disabled DNSSEC validation for this zone temporarily so it should resolve now. It doesn’t work because there are two DS records for the zone:
nuscalepower.com. 86400 IN DS 64807 8 2 60E153C0E318759C7AC69F4EF48F4E641D39031D4D9C91413AF922A76A140ABE
nuscalepower.com. 86400 IN DS 5779 8 2 28E09A06D733F5EFB5057ADE84AF4F674B404D3C1E3497CFEBA80242236C1435
First points to unsupported DNSKEY (512 bit RSA), second points to a key that doesn’t exist. Either you need to remove the DS record pointing to the missing key (5779), or add the missing key to the zone, or use RSA keys at least as strong as 1024 bits, see RFC 4641 - DNSSEC Operational Practices
2 Likes
From what I read recently, a second DS record shouldn’t kill a domain if the other DS record is valid. Is this not true?
@mvavrusa THANK YOU. I immensely appreciate the support here. I can confirm that resolution is working again. I’ll take the output of what you’ve provided to CSC/Neustar and escalate the issue on that end. Once resolved there, I will report back.
That’s true as long as there’s at least one key that is supported (RFC 4035 - Protocol Modifications for the DNS Security Extensions).
@user18460 no problem, sorry about the issues caused in the first place.
1 Like
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.