Server can't find <domainname>: SERVFAIL

3 days ago we pointed a domain at Cloudflare’s name servers, when previously it had been at Google’s DNS. Now, when we do a domain lookup, it simply gives us a SERVFAIL. We cannot figure out what is wrong, and hope someone can help here. Cloudflare appears to have removed the ability to open support tickets, so hopefully the community can help rescue us. Please note that we have hundreds of domains with Cloudflare, and never had this problem before. The domain is in Cloudflare, and yet even a lookup using shows it as not there. Very strange.

** server can’t find SERVFAIL

; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for

This is due to bad DNSSEC on the domain. Did you have DNSSEC before transferring? If so, it should have been disabled.

Is DNSSEC enabled in the Cloudflare dashboard, under the DNS tab?

Thanks. I have no idea if DNSSEC was on at Google, as we didn’t have access to the old registrar. We did not have DNSSEC enabled here at Cloudflare, but I’ve just enabled it and we’ll see if that helps.

When you enable DNSSEC also make sure you upload matching DS records to the registrar, otherwise it’s not going to work (this should be part of the “enable DNSSEC” workflow).

1 Like

Oh interesting. This is my first time doing this, and I have to admit I’m confused. Because the DNS is with Cloudflare, I would assume this part is automatic. In fact, their documentation says it is and I have to take no action other than enabling the DNSSEC. However, it’s been a few hours now and it is still pending. I’m unclear how I would add an NS record at the registrar level, as NS records are added at the DNS level, that is, the Cloudflare level.

I contacted the domain registrar and they confirmed that they successfully added the DS record to the domain, so that’s done. Cloudflare still shows the DNSSEC as pending though, so I don’t understand what is still holding this up.