Site is down once changed the nameserver of Cloudflare

Dear Community
Our website Apex News is down once configured Cloudflare Name Servers. Kindly help
Regards

You must fix the DNSSec problems with your domain.

$ resolvectl query apexnewsindia.com
apexnewsindia.com: resolve call failed: DNSSEC validation failed: no-signature

The domain doesn’t have DNSSEC enabled at the registrar, but it does have it set at Cloudflare’s end.

I wouldn’t have expected this to cause any trouble if it wasn’t set up at the registrar.

https://dnsviz.net/d/apexnewsindia.com/dnssec/

The MX record resolves, as does the A record for what the MX record points to.

I just figured they don’t have DNS records for the apex or www.

While there are DNSKEY records:

$ dig DNSKEY apexnewsindia.com

; <<>> DiG 9.16.27-Debian <<>> DNSKEY apexnewsindia.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7831
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;apexnewsindia.com.             IN      DNSKEY

;; ANSWER SECTION:
apexnewsindia.com.      115     IN      DNSKEY  257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
apexnewsindia.com.      115     IN      DNSKEY  256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==

;; Query time: 0 msec

Seemingly, the missing DS record appears to be causing a DNSSec issue with domain resolution.

I would hope that wouldn’t be the case. In my test I just started, I enabled DNSSEC in my dashboard. Now CF is waiting for me to complete setup at my registry. In the meantime, my DNSSEC keys got set up. I would be disappointed if that broke my domain’s DNS if it took me a while to get the DS records deployed.

Before:

dig DNSKEY DOMAIN.com

; <<>> DiG 9.10.6 <<>> DNSKEY DOMAIN.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

After:

% dig DNSKEY DOMAIN.com

; <<>> DiG 9.10.6 <<>> DNSKEY DOMAIN.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10972
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

I wouldn’t necessarily think so, but the error I got in different tests were all showing something about having no signature (DS). So, not sure though.

Interestingly though, in your test there, you’re not getting any DNSKEY records returned even though it’s enabled? DNSKEY records were returned for the OP’s domain along with the error about a failed DS.

Never mind, I’m slow… I just reread your results. ANSWER: 2.

Thanks for your reply,
What if I Cancel DNSKEY setup at Cloudflare and don’t update it at domain registrar… Is website start working?
I disabled the settings of DNSKEY at Cloudflare because GoDaddy not allowed to add such settings… but still my website is down…

I disabled the settings of DNSKEY at Cloudflare because GoDaddy not allowed to add such settings… but still my website is down…Website Link

My domains are registered with GoDaddy and I’m using DNSSec with them.

Log-in to GoDaddy and from the My Products page, under Domains, click the 3-dots in the upper-right of the domain you want to manage, select Manage DNS. Under DNS Records, near the upper-right, click the 3-dots, and select DNSSEC.

That will take you to the DS Records page. Once there, you can add/edit/remove DS records.

1 Like

I can’t add DS Records on domain and Godaddy provide DS records add/update facility only with Premium DNS plan…
I disabled that option on Cloudflare, but still website is not online…

You don’t need to be using their DNS. I don’t use their DNS for anything. I’ve never purchased their Premium DNS. All DNS is handled by Cloudflare for my domains.

Thanks for your reply, but once I disabled that DNSSEC option on CF, why website is not online? Kindly help

@sdayman has pointed out the issue in the first response already.

1 Like

Thanks, but still confused what he pointed out. Kindly clear.

What is unclear about his response?

1 Like

He pointed that “I just figured they don’t have DNS records for the apex or www.” means?? when I already updated CF Nameservers and DNS details are automatically updated at CF. Kindly help

Do you have an A record under DNS Management for your domain/zone?

1 Like

Yes, at CF dashboard there are 4 A records

Yes, at CF dashboard there are 4 A records…

Perhaps, @sandro can better help you with it.

There are DNSKEY records published, but that itself shouldn’t cause the issue you’re having.

$ dig DNSKEY apexnewsindia.com

; <<>> DiG 9.16.27-Debian <<>> DNSKEY apexnewsindia.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29661
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;apexnewsindia.com.             IN      DNSKEY

;; ANSWER SECTION:
apexnewsindia.com.      2057    IN      DNSKEY  256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
apexnewsindia.com.      2057    IN      DNSKEY  257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==

Domains with DNSKEY records, and no corresponding DS record, should just come back as – Data is authenticated: no when queried. However, the DNS resolution is failing with a DNSSec error though:

$ resolvectl query apexnewsindia.com
apexnewsindia.com: resolve call failed: DNSSEC validation failed: no-signature
1 Like