New/modified records not always properly DNSSEC signed

I’ve been having this problem recently (the last few months at most) where I sometimes end up in situation where some new or modified DNS records don’t get properly signed which means that lookup of those particular records fail for resolvers that verify the signature. The rest of the records resolve fine with or without DNSSEC validation and all DNSSEC testing tools agree that it is correctly configured.

It first happened when adding SSHFP records where I noticed I made a mistake and modified them. After that they no longer had valid signatures. I got it working in the end by removing all the SSHFP records and then re-adding them. At the time, I figured it was just a temporary issue and forgot about it.

A few hours ago however, I modified an NS record for a subdomain, only to realize the change I made might have some side effects in some edge cases so I changed it back. That record is now no longer signed correctly and removing and subsequently re-adding it makes no difference.

Has anyone else had this same issue?

The domain in question is and the broken NS record is set for

This seems to be a persistent issue and one Support may be able to assist with, to contact Cloudflare Customer Support, login & go to and select get more help. Please give Support the complete details and link to your Community post and share the ticket number here, please. If you receive an automatic response that does not help you, please reply and indicate you need more help.

Ok, thanks! I just filed a support ticket with the ticket number 1831860.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.