Stuck Pending While Setting Up DNSSEC On Cloudflare Registrar


#1

Hi there,

I’ve recently transferred all my domains over to Cloudflare, and decided to also turn on DNSSEC (as my previous registrar did not support Algo 13).

I’ve turned it on in the DNS Panel of CloudFlare and added the DS Records as required - but so far, all the domains seem to be stuck with the error of for the past few hours: “DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour.”

As my registrar is now Cloudflare Registrar, I would’ve assumed the feature would have worked natively - is there anything I’m missing, other than turning DNSSEC On, and add the required DS Record to my DNS Records?


#2

My expectation here is that once I enable DNSSEC for a domain using Cloudflare Registrar is that the DS records are added to the parent automatically, with no further action needed. I do not think adding DS records in your Cloudflare zone is doing anything here, the DS records need to be one level up the DNS. Adding DS records to your own zone is relevant if you have child domains. (DS records for example.com are added to the .com zone file, not to the example.com zone file)

The question is whether we are awaiting an update to the UI, or is there a missing element in the Registrar build which ties enabling DNSSEC with adding DS records to the parent zone?


#3

Same issue:

Adding DNSSEC to a domain that previously didn’t have DNSSEC enabled doesn’t work. I’m sure @SamRhea and the Registrar team are working on it.


#4

Hi everyone - Sam from the Registrar team here.

We’re working this week to make setting DNSSEC seamless, there’s some work that remains to complete that. Thanks for your patience - won’t be long.


DNSSEC needs fixing on cloudflare registrar
#5

Hey @SamRhea! Thank you so much for the update! Glad to know it’s in the works, I was thinking I wasn’t doing the configurations properly on my side and such, haha. Cheers!


#6

I also just encountered this. Great to hear that this is being worked on.


#7

Good to know that it is undergoing,
but a little weird that CloudFlare would skip the most important function to rush out preview invitations…


#8

This whole rollout seems to be rushed and not what I would expect from Cloudflare. At best this rollout should be considered a failure. Kinda makes me second guess the $120k contract we are about to sign.


#9

Same here, and I find it quite annoying as I thought using CF for DNS and Registrar should work more flawlessly then doing the DNSSEC-stuff by hand.


#10

I am Still waiting … My domain transfer reason is DNSSEC but not working. Hopely register team fix soon.


#11

I have a few domains with you as the registrar. So, if I manually enable DNSSEC and copy the entries into the DS records , a) will it work?; and b) will it be migrated once you have this automatically populate the DS records with domains with your own registrar?


#12

Hi everyone! We’ll be rolling out a fix next week that automatically picks up the DS records you create in that enablement tab and sets them with the registry. No manual input required.


#13

Manually didn’t work for me - do to fact that some of the fields needing entered did not correlate to what was needed to create record. This may just be user error. But it seems like a simple copy and paste job and then hit enter - if data given propagates entry fields properly.

I’m trying to patiently wait for the update to put this process in auto wash mode. To even try to do this manually you need 2 windows open to achieve the copy and paste.


#14

Thanks, @SamRhea,

What about domains that already clicked “Enable DNSSEC”? Will the fix pick them up too (i.e. you run a query for all DNSSEC pending domains where Registrar is CloudFlare and push their pending DS settings to the registry), or would one have to disable and re-enable DNSSEC, because the process is event based (enabling enters domain into some queue for execution)?

Thanks! :slight_smile:


#15

Yes - we will still pick it up. We’re using CDS CDNSKEY scanning, which is not event-driven as much as it is read-driven, so you’ll be able to set it without needing to trigger it a second time.


#16

Great :slight_smile:


#17

I initiated DNSSEC but it got bugged out. :disappointed:

bug

It is stuck at

DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour.

The ‘DS Record’ link is not there like on other sites I have. So I don’t have it to set it on my domain name provider.

Canceling Setup also does not work.

API Request Failed: PATCH /api/v4/zones/6ce4707af8615d4735b4bdd6193d5a4a/dnssec (500)

The domain I have problems with is
slawa.net
zone id: 6ce4707af8615d4735b4bdd6193d5a4a

Here is the API reply:
https://api.cloudflare.com/client/v4/zones/6ce4707af8615d4735b4bdd6193d5a4a/dnssec

{
    "result": {
        "status": "pending",
        "flags": null,
        "algorithm": null,
        "key_type": null,
        "digest_type": null,
        "digest_algorithm": null,
        "digest": null,
        "ds": null,
        "key_tag": null,
        "public_key": null,
        "modified_on": "2018-07-11T09:36:11.294925Z"
    },
    "success": true,
    "errors": [],
    "messages": []
}

There was an update to the Cloudflare Dashboard and the issue has been fixed. I could cancel DNSSEC and re-enabling it went well this time.


#18

Still not working here today. Tried many times to cancel and restart… wait an hour, wait 4 hours, etc… nothing.


How to enable DNSSEC when Cloudflare is the registrar
#19

I haven’t had process auto complete yet. Figured there would be an announcement when new feature went live.


#20

Well… I just transferred a domain from Google Domains to Cloudflare registrar. And well… yes… the DNSSEC doesn’t work as Cloudflare promised (in 10 minutes or 1 hour or so). Guess what? Google Domains can complete propagating DS to gTLD zone several seconds without bothering any DNSSEC, DNSKEY, RRset, DS records blah blah blah.
I am not seriously blaming at Cloudflare’s DNS technical support team… but… sigh~