Registrar Registration Transfer In - dnssec error

Similar to other posts (see e.g., 378622, and 378095) my domain stopped working immediately after being transferred to Cloudflare.

Similar to other posts I get an “no SEP matching the DS found for” error (see below) and my domain name can no longer be resolved.

(actual domain name replaced below):

dig NS @

; <<>> DiG 9.16.1-Ubuntu <<>> NS @
;; ...; OPT=15: 00 09 6e 6f ... 6e 65 74 2e
   (" SEP matching the DS found for")
;			IN	NS

Also, looking at dnsviz I get the same errors wrt Algorithm numbers as mentioned in this post.

As far as I can read in the other posts, this can only by fixed by support? Or is there anything else I can do?

I’ve also created a ticket 2432449.

Looking a bit more into this (to verify that this is a dnssec issue):

dig query where we require dnssec fails due to the wrong key:

dig NS @
;; ...
; OPT=15: 00 09 6e 6f .. 6e 65 74 2e
    (" SEP matching the DS found for")
;			IN	NS
; (no ANSWER SECTION below)

Without dnssec we get the right answer:

dig NS @ +cd
;; ...
; OPT=15: 00 09 6e 6f .. 6e 65 74 2e
    (" SEP matching the DS found for")
;			IN	NS

;; ANSWER SECTION:		86400	IN	NS		86400	IN	NS

Cloudflare is both registrar and DNS for the domain, i.e., it seems this it is providing the wrong dnssec key.

Hmmm. More than 24 hours have passed, and it still doesn’t work.

Dnsviz still shows the same error (see below), i.e., the dnssec keys at my domain does not match the expected keys as seen from .net. As everything is running at Cloudflare (both registrar and dns) I would expect either dnssec to work or not to be setup - not in this intermediate state.
The Troubleshooting DNSSEC page does not describe what to do in this case.

Maybe I should cancel DNSSEC setup in the DNS panel? Or would this simply delay this with yet another 24h waiting period and still not work.

I’ve flagged your post for follow up by support. This issue can only be fixed by Cloudflare staff, not by the Community.

The issue is that you failed to remove the DS records from your previous DNS host/registrar (as stated in the documentation). Once you fail to do that and proceed with the transfer, you cannot resolve the issue yourself.

Replying to myself:
Somebody else has tried to toggle DNSSEC but to no avail, i.e., there this would probably not work:

While waiting for a response, I tried toggling DNSSEC in the CF dashboard and waiting 48 hours; no luck. I tried disabling DNSSEC, but DS entries are still being published 24 hours later.

It seems that you have to wait for somebody at the CF team to pass along – keeping my fingers crossed. :crossed_fingers: :slight_smile:

@michael - thanks! Your reply came in while I was replying to myself.
Since this is not automatically fixed, I guess that this happens too infrequently to be automatically fixed. I should read the documentation more carefully next time. :frowning:

Hey there!

Sorry this isn’t working (yet). I just replied on your ticket.

Thanks. Everything seems to work again. :slight_smile:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.