Site down after enabling DNSSEC 24 hours +

My site has been down and not resolvable for 24 hours since enabling DNSSEC. My Registrar, IONOS, added the DS Record this morning.

When using dnsviz, one of the errors shown is “error resolving the following NS names to addresses”, then it lists but I haven’t been using these nameservers for almost a month.

I’ve been using Cloudflare’s nameservers for weeks now so I’m not even sure where it’s pulling the old inoperable local namerserver addresses from???

DNSViz was showing a cached result (you can click update in the top left to get it to run again), hence why it was showing the old nameservers.

Updated DNSViz ( | DNSViz) shows that you do have DS Records at your Registrar, and they look correct for Cloudflare, but it doesn’t look like you have DNSSEC enabled within Cloudflare. Did you change Cloudflare accounts, or disable it after enabling it (you don’t need to do that in the future if you did, you can enable it within CF and keep it enabled while you configure your DS Records at your Registrar)


Thanks for the reply. No, I never touched anything on Cloudflare’s end once I enabled it yesterday. It still says “DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour.”

Why would that be?

Interesting… Is it possible you have the site in more then one Cloudflare account, and are modifying the inactive/wrong one, or are confusing the site with a different one in your account? As far as I know & tested, the second you enable DNSSEC within Cloudflare, Cloudflare starts serving DNSKEY records, even without you doing anything on your registrar (which is fine, doesn’t break anything). Your zone isn’t serving any at all though. A screenshot of the DS Record tab would be helpful. (there’s nothing private in there, CF doesn’t even give you the private key).

In case it is worth asking as well, the site in question is, correct?

1 Like

I’ve only ever had one CF account so that’s a no-go.

Yes, the site is

So it seems like its definitely an issue with CF…

If I cancel setup and then re-enable, will it produce the same ds record or will I have to contact IONOS with new values?

A bit late, but it looks like you might have done that (or it just fixed itself with time), and I can see the DSKEY Record being served by your zone now: ( | DNSViz)
In theory, you should be able to get your registrar to add the DS Record back without any issue. (Also not sure why your registrar takes so long to add it, most have it automated and it’s just propagation time you need to wait for).


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.