1 of 2 problems occur when I go to my website. Scenario 1: it wont load and says “This site can’t be reached took too long to respond. Try: Checking the connection Checking the proxy and the firewall ERR_TIMED_OUT” … or Scenario 2: It loads and shows “sni-support-required-for-valid-ssl”
The domain is justpendedutah .com
Looking the domain shared we are seeing a DNS_PROBE_FINISHED_NXDOMAIN.
The error you shared that you were receiving was ERR_TIMED_OUT
Can you share a screenshot of said error?
Normally, there would be a Cloudflare Error code (5xx).
The query results indicate this is a DNSSEC issue.
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for justpendedutah.com.)
;; QUESTION SECTION:
;justpendedutah.com. IN A
So both things happen. 1st it will time out but if i refresh once or twice, the website will eventually show up and show is “not secure”… I place a few screen shots below so you can see what I mean
How do I fix the DNSSEC issue?
At a minimum, you will need to remove the invalid DS Key that is currently set at your domain registrar. You can do this by simply logging into your domain registrar and deleting the currently assigned values. If you have DNSSEC active on your domain in Cloudflare, you should be able to obtain its corresponding DS Key. You need to then configure that at your domain registrar.
1 Like
My registrar is hostgator and they dont seem to allow this functionality for my package (which is confusing because if they dont offer that in my package, how did it get there originally?) *FYI: My domain was orginally purchased through googledomains…I’m wondering if google domains transferred over a DS record to hostgator when I transferred the domain and now it’s hidden but still somewhere in my hostgator records. Any ideas? The Doc you sent doesn’t show hostgator instructions uder the “provider specific instructions”
That’s pretty close. The DS records are managed at the registrar just like your authoritative nameservers, and, just like your authoritative nameservers, the .com root servers is where they actually make there way into the public DNS. Your currently active DS Key records would have been pushed to the .com root nameservers. Despite not being included in the pooffering with your current registrar, I would expect someone at some level of their customer support organization to understand that only they can remove those records.
If you aren’t under a 60 day transfer-lock, it may be more expedient and beneficial to just transfer the domain to a registrar with proper DNSSEC support. Such a basic and critical feature should not be locked behind a paid upgrade.
1 Like
Understood. I am unfortuantely under a 60day transfer lock but I read in icann .org that registrars can give permission to leave earlier than 60 days so I’m going to request that fromsupport since they have told me there is not a single customer of hostgator that can access DNSSEC… which doesnt even seem possible or true but thats what they’ve said…