Registrar Registration Transfer In - DNSSEC stuck at “DNSSEC is pending while we automatically add the DS record on your domain”

The DNSSEC setup for my domain is stuck with the message “DNSSEC is pending while we automatically add the DS record on your domain”.

It seems to be the issue described in the forum thread below which requires manual intervention. Can you please take a look?

Ticket number is 2434983

PS: This ticket is a duplicate of 377333 since my ticket got nowhere and instructions were “your question should be asked in the Community so that other Customers will also benefit from the answer” when it’s already been answered thrice here.

@MoreHelp, it’s been over 72h without change on this ticket, any chance Cloudflare can take care of this?


I’ve reported this to Cloudflare Wednesday, got a reply Thursday saying “we see your ticket but you’re free tier and we don’t have time” (I’m paraphrasing), took a Pro plan because “support is prioritized for paying customers” Thursday to get this fixed quickly and I’ve had no news of Cloudflare since.

I mean one more automated answer after some time saying “we’re swamped and are prioritizing Enterprise / Business customers” would be annoying but at least it would indicate this ticket was still somewhere on the TODO list because 5 days for fixing a domain breaking issue is an exceedingly long time.

The result at this stage is that the domain I migrated to Cloudflare is still broken, and to make matters worse, this is a know issue that neither Cloudflare Registrar handles automatically nor Cloudflare Support handles at all.

This would be laughable if it wasn’t so damn irritating that my domain is still broken.

I’m also noting that Cloudflare’s a big proponent of filing complaints to ICANN against other registries for not supporting DNSSEC as they should, reading the ICANN agreements I’m finding “Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC.” which Cloudflare clearly isn’t doing given the DS records are still broken. Do I need to file an official complaint with ICANN to get this to change?

PS: I’m sorry for the people at Cloudflare that have to process this, I’m furious at Cloudflare as a company and at their failing processes, not any particular individual doing his/her/its job.

Whilst it has to be handled by someone on the support team, the part about ICANN wouldn’t lead anywhere.

2013 Registrar Accreditation Agreement - ICANN dictates that a registrar must allow customers to use DNSSEC which Cloudflare does - ICANN are not ruling that a technical fault for a handful of domains (which is resolved through the support process) has to be handled within a pre-defined amount of time.

It’s an unfortunate bug and it will be fixed - Cloudflare aren’t in breach of anything.

@user92315 I noticed your ticket with Support and have escalated this post for the attention of my Registrar colleagues. Question while we wait for a reply from them, I was unsure when reviewing the ticket, did you disable DNSSEC at the former registrar?

Thanks for getting back to me @cloonan, I did disable DNSSEC at my previous registrar but it seems they did not remove the DS record as requested leading to this unfortunate situation. I didn’t leave my previous registrar for nothing…

1 Like