Please suppress CDS and CDNSKEY records for kiratime.hu

kiratime-vt · April 24, 2025, 4:29pm

What is the name of the domain?

kiratime.hu

What is the error message?

CDNSKEY and CDS RRsets must be signed with a key represented in both the current DNSKEY and DS RRset. RFC 7344, Section 4.1.

What is the issue you’re encountering

My domain uses manually configured DNSSEC with the .hu TLD, which does not support automatic rollover via CDS/CDNSKEY. Cloudflare is still publishing these records, causing validation errors in tools like DNSViz.

What steps have you taken to resolve the issue?

The DS record is set manually at the registrar and DNSSEC is fully functional and validated. The remaining issue is the unnecessary CDS/CDNSKEY records still being published.

What feature, service or problem is this related to?

DNSSEC

What are the steps to reproduce the issue?

Use DNSViz on kiratime.hu
Warnings appear due to unmatched CDS/CDNSKEY
The records are not removable from Cloudflare UI

Screenshot of the error

cloonan · April 24, 2025, 6:43pm

If I understand the configuration correctly you don’t need DNSSEC enabled on the Cloudflare dashboard; what happens if you disable DNSSEC on https://dash.cloudflare.com/?to=/:account/:zone/dns/settings?

kiratime-vt · April 25, 2025, 6:50am

Dear @cloonan,

Thanks for your reply! In my case, Cloudflare is the authoritative DNS provider for kiratime.hu, and I’ve enabled DNSSEC in the Cloudflare dashboard so that it signs the zone (publishing DNSKEY, RRSIG, etc.).

Because the .hu registry doesn’t support automatic DNSSEC via CDS/CDNSKEY, I’ve manually added the DS record at my registrar using the values Cloudflare provides.

So even though the DS was added manually, I still need DNSSEC enabled on Cloudflare — otherwise it wouldn’t publish DNSSEC signatures, and the domain would fail validation.

Hence DNSSEC is working correctly, but the CDS/CDNSKEY warning is cosmetic only, what I’m trying to do now is simply suppress the automatic CDS and CDNSKEY records that Cloudflare publishes, since they’re triggering RFC 7344 Section 4.1 errors in tools like DNSViz.

Thanks again!

GeorgeAppiah · April 25, 2025, 7:24am

I just forced a re-run of the DNSViz check, and I don’t see any “errors” any longer: https://dnsviz.net/d/kiratime.hu/dnssec/

And it’s all green on Verisign Labs’ DNSSEC Debugger: https://dnssec-debugger.verisignlabs.com/kiratime.hu

So it seems this is sorted already?

kiratime-vt · April 25, 2025, 7:42am

Dear @GeorgeAppiah,

Thank you for your reply!

I made a test at 08:44 CEST this morning, and it had the issue. Now it is 09:38 CEST and I confirm that the error messages are gone.

I was having breakfast and coffee, so the resolver wasn’t me, but whomever resolved this, I big THANK YOU! f or you!

Also thanks everyone who dealt with my case!

Bye!

system · April 27, 2025, 7:42am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNSSEC and DS record DNS & Network	2	40	February 21, 2025
Problemas DNSKEY DNS & Network	5	2491	February 23, 2022
DNSKEY and validation DNS & Network	3	2387	May 21, 2021
How to enable DNSSEC for domains using the .ch extension? Security dnssec	3	2616	October 22, 2018
DNSSEC problems with setup DNS & Network	5	1980	October 1, 2021