Nothing changes after scanning for existing DNS records

I previously used CF as my domain registrar before moving to Freenom registrar, during the time of CF as registrar, everything was fine, now that I moved the domain back to Freenom and hosted with Namecheap, I can no longer use Cloudflare. After I tried to scan for the existing DNS records of the domain, I get stuck at Add more DNS records for tangodigitalsystems.org. I have tried to manually add all the A records, CNAME, MX, and some TXT records but did not work. I tried adding another domain but it worked. Please I don’t know where the problem is coming from. Your help is highly appreciated.


This looks like a DNSSEC issue.

https://dnsviz.net/d/tangodigitalsystems.org/dnssec/

Please how do I resolve it?

That’s not something Cloudflare can help with, they are neither your registrar or your DNS provider. You should disable DNSSEC at the registrar and address it with them if there are problems doing that.

I have tried to establish communication with my registrar but I have hit the dead end, it’s already 10days and they have not replied my ticket nor responded to my email. I am just thinking, what if I move my domain back to CF from Freenom, do you think it can be fixed?

You can try transferring it to Cloudflare Registrar - I’m not sure if the DNSSEC status comes along with the transfer but if it does then you’ll just be able to enable it in the dashboard & Cloudflare takes care of the rest.

Outside of changing registrar, you have two options.

Either you can setup DNSSEC at your current nameservers (DNS1.NAMECHEAPHOSTING.COM) or disable it with your current registrar.

It sure looks like the registrar has Cloudflare’s DNSSEC key, which of course won’t work with Namecheap DNS, but should if you go to your registrar and set your domain to use Cloudflare’s name servers.

 % dig +short DS tangodigitalsystems.org
2371 13 2 18484E2948D75854C38826DE8CB70D8D701E99F1E62BB913D99109E4 AD439894

You’ll still be missing DNS records, though. You’d have to get those from your web host.

% whois tangodigitalsystems.org | grep "Name Server"
whois: http: nodename nor servname provided, or not known: Invalid argument
Name Server: DNS1.NAMECHEAPHOSTING.COM
Name Server: DNS2.NAMECHEAPHOSTING.COM

This is the problem I am facing, I am unable to use Cloudflare DNS… and I want to be able to
use it

More specific information would help.

“did not work” is not descriptive. Your last screenshot shows no DNS records with the button to Add Record. Can you please describe what you did and the end result?

I added the domain like I would always do and after some seconds, the records will be pulled but in this case, I added the domain and at the end of the quick scan, no DNS, MX, TXT, A, CNAME found. Cloudflare could not pull any record from the existing hosting company (Namecheap), as a result of that, I could not use Cloudflare

You’ll need to fix your DNSSEC for Cloudflare to be able to see your records - as the chain is broken, it can’t trust those records.

➜  ~ delv tangodigitalsystems.org
;; broken trust chain resolving 'tangodigitalsystems.org/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain

https://dnsviz.net/d/tangodigitalsystems.org/dnssec/

Cloudflare cannot lookup (and therefore cannot import) existing records when DNSSEC is enabled on the domain (on your registrar) but not properly implemented in DNS (on your nameservers).

As an example:

➜  ~ dig tangodigitalsystems.org @1.1.1.1

; <<>> DiG 9.16.15-Ubuntu <<>> tangodigitalsystems.org @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55879
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for tangodigitalsystems.org.)
;; QUESTION SECTION:
;tangodigitalsystems.org.	IN	A

To clarify, the differences between DS and DNSKEY record types in DNSSEC:

DS records - these are given to your registrar and these are advertised by your TLD’s name servers.

If you run dig tangodigitalsystems.org DS @1.1.1.1 +trace in a command prompt, you’ll see that the DS records for your domain are served by d0.org.afilias-nst.org rather than your domain’s nameservers which are dns1.namecheaphosting.com and dns2.namecheaphosting.com

DNSKEY records - these are given to your nameservers and these are advertised by your domain’s nameservers, as opposed to your TLD’s nameservers like DS records.

If you run ➜ ~ dig tangodigitalsystems.org DNSKEY @1.1.1.1 +trace, you’ll notice that eventually the query reaches dns1.namecheaphosting.com and dns2.namecheaphosting.com but no DNSKEY records are returned.

DNSKEY records contain the public signing key for your records and since this isn’t present, the chain of trust of your records cannot be verified - therefore, a DNSSEC fail.

You need to get the proper DNSKEY records added onto your nameservers, or disable DNSSEC (which will remove the DS record) at your registrar.

If you’d like to see a proper implementation, replace tangodigitalsystems.org in the above dig commands with kian.org.uk which has Cloudflare’s DNSSEC implemented.

https://www.cloudflare.com/dns/dnssec/how-dnssec-works/ is a great reference for the different record types and how the process works.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.