"The site does not have any DNSSEC records" -- but DS record looks good

We’ve successfully added DNSSEC records to half a dozen domains the past few days, but we keep getting a no_dnssec_found for one of them in the Health Check – even though the DS record is ‘Looking Good’ as you can see in the screenshot, and DS Records in Godaddy look correct as well.

What could be the issue here?

…also, the Health Check seems to be contradicted by this message:

…also #2: The site itself is dead: Uploaded content doesn’t show, and it displays a broken lock.

When trying to reinstall the certificate on Godaddy, we get the message below, don’t know what it means. The top URL is mail.[domain]; the next is the site itself. If we click the latter, we get a yellow-framed warning against our site.

I’ve had Cloudflare say DNSSEC is ok when it really wasn’t (due to my own tampering).

Best bet is to try some DNSSEC tests:
http://dnssec-debugger.verisignlabs.com/

https://dnsviz.net/

Hi,
Thank you very much! The first link returned all green results except this yellow warning:

"All Queries to demand.gamma.aridns.net.au for [domain]/DS timed out or failed"

The second link gave us 4 Warnings:

[domain]/DS (alg 8, id 28576): DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1).
[domain]/DS (alg 8, id 28576): DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1).
[domain]/DS (alg 8, id 28576): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
[domain]/DS (alg 8, id 28576): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.

I’m afraid I don’t understand any of these warnings. On Godaddy, we pasted all the data exactly as they were listed on Cloudflare; Digest Type 2, Algorithm 13, Key Tag 2371, plus the correct Digest.

I spent half an hour with Godaddy’s support, their conclusion was that the installed Certificate was wrong. We reinstalled it, but it didn’t make any difference.

That may be the issue. Is your domain under the .au ccTLD?

No, it’s .gold. As far as I know, that shouldn’t be an issue.

Aside from the scary warnings, is anything not working?

Nothing’s working. :slight_smile: If we upload content to the site, it doesn’t show. When I type the URL in a browser, there’s a broken lock. If I type the URL with https in front of it, we get these yellow-framed warnings: Warning: Potential Security Risk Ahead

Is that domain name even pointing to Cloudflare name servers? And the hostnames are set to :orange: Proxied? The actual domain name would help us troubleshoot.

Can we wait a little bit with the actual domain name? :slight_smile: I don’t think I’m allowed to post that here, but I can check later if required.

There are yellow clouds and ‘Proxied’ all the way down below “Proxy Status”.

The bottom screenshot is from Godaddy, the rest are from Cloudflare’s Health check:


Being very new to this, I don’t know if this is relevant but the particular domain – let’s say, Domain.gold – is currently the Primary Domain on a shared Godaddy hosting account.

Which means that in Godaddy’s CPanel, there’s a broken RED lock next to Domain.Domain.gold while there’s an intact GREEN lock next to Domain.gold itself.

So I’m thinking if we should also add Domain.Domain.gold to Cloudflare – or if that even makes sense, given that we already added *.Domain.gold…

On the screenshot you shared it says you have a self signed cert. This would not be the case if the zone was active on Cloudflare.

Are the nameservers that Cloudflare show on your dashboard nia and Sam?

You are allowed to share the domain if you want. And sharing it would make investigations really quick.

1 Like

Hi Michael,
Regarding the SELF SIGNED cert message: I only saw that now. I have no idea why we get that message; we followed the exact same SSL procedure (described here Cloudflare origin CA free SSL installation guide on Godaddy - Digital Candy web agency based in Hong Kong) with this domain as with half a dozen other domains this week that work as expected.

Regarding the actual domain; what I meant was that we’re a couple of guys who co-own these domains and we’re not authorized to publish exact URLs and such as the sites in question are not yet launched.

If you’re using a Cloudflare origin CA and getting that yellow warning screen, then it sounds like your site isn’t :orange: Proxied by Cloudflare DNS. But without knowing the actual domain name, we can’t check this. It’s possible your local ISP’s DNS isn’t up to date.

I’ll check about the actual domain and get back asap.

Hi again, we can’t post the domain name until we’re going to launch the sites – which may be never at this rate :slight_smile: – so I understand if you can’t comment on this.

Here’s what happened, anyway:

We found what appears to be the main issue: Yesterday, I removed our previous SSL certificate, which had been installed by Godaddy last week.

So earlier today, I asked Godaddy’s supporter if it had in fact been completely deleted or if it might be part of this issue.

The supporter said it was completely removed. I checked now but it still ‘existed’ in some way, though it wasn’t attached to the site as such. So I used the ‘revoke’ option – and immediately all the warnings disappeared from our site. The following warning also disappeared: " All Queries to demand.gamma.aridns.net.au for [domain]/DS timed out or failed"

We still can’t use the site though, as it simply doesn’t display any content we upload. When we try to log into the domain itself via Filezilla using the domain as Host, Filezilla lists an IP address that’s not ours. So we can only open the site using Filezilla if we type our correct IP address instead of .gold domain as Host.

So it’s like the domain have been pointing to a wrong IP address after we switched to Cloudflare. I wanted to check A Records in Godaddy, but that’s no longer possible because the site is now on Cloudflare.

In other words, there are a good deal of gotchas and catch 22s going on so we probably have to choose if we’re staying with Godaddy or Cloudflare, and if it’s the latter I’m not really sure what we should use instead of Godaddy in order not to repeat any of this…

You should probably back up a bit and toggle “Pause Cloudflare on Site” from the overview page, lower right corner. Give it five minutes to take effect. Then make sure you site gets up and running with HTTPS using the DNS records you have here at Cloudflare.

Once that’s working, you can turn off “Pause Cloudflare on Site”.

Thank you again! We followed your suggestions, paused Cloudflare and sat on our hands for at least five minutes :slight_smile: – after which our own IP address automagically appeared in FileZilla again as expected when we used our Domain in the Host field.

We could also transfer files to that domain.

But the transferred content still doesn’t appear on the site itself.

It’s peculiar: Our other domains work flawlessly with their new Cloudflare SSLs – which is why we decided to delete Godaddy’s SSL on this domain in the first place.

But Godaddy’s supporters clearly let us understand that anything Cloudflare is off limits, so there’s no way around choosing one company or the other as we can’t proceed without hosting support.