We have transferred over our domain https://gammax.exchange from Google Domains about 10 days ago. After the transfer completed we changed the nameservers and started to wait for propagation. After it didn’t propagate fully I noticed the suggestion to make sure the old registrar didn’t have DNSSEC set. When we went back to the account the domain or that setting was not accessible.
Oddly this link shows we are propagated DNS Checker - DNS Check Propagation Tool but this one shows that we aren’t https://www.whatsmydns.net/#A/gammax.exchange. Not sure if this has anything to do with it.
Does anyone have any ideas what could be going on?
There’s DNSSEC errors with the domain.
➜ ~ delv gammax.exchange
;; broken trust chain resolving 'gammax.exchange/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for gammax.exchange.)
;; QUESTION SECTION:
;gammax.exchange. IN A
Is DNSSEC enabled in Cloudflare?
I believe it was pending last time I looked. I assume I should make sure it is disabled?
I verified that it was enabled but was pending. I cancelled the setup.
I am still seeing errors when I follow the link you sent over @KianNH
I have tried deleting my A Record and CNAME for www and recreated them without the proxy turned on to see if this helps. Waiting now for it to propagate.
I found after doing the Cloudflare diagnostic test that I am getting an error “hostname_mismatch”, but I have not been able to create a SSL cert on my host Cloudways since the domain is not propagated enough. The Universal SSL is set up on the Cloudflare side.
The site is still showing the same DNSSEC errors as before for me.
From your original message, I assume you had DNSSEC setup when you transferred - and it sounds like it’s now stuck & needs a nudge.
Open a ticket with Cloudflare support & the registrar team should be able to get it sorted pretty quickly.
I will do that. Thanks for the input!
I see the team was able to delete the old DNSSEC records, and your zone is now finally resolving.
Yes, this just happened! Hallelujah!
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.