Unable to resolve a domain using Cloudflare DNS

When we manually change our DNS to ‘1.1.1.1’ or 1.0.0.1’, we cannot resolve ‘invisibleproject (DOT) org’. We’ve attempted this using multiple ISPs in the Minneapolis area.

The website ‘invisibleproject (DOT) org ‘ resolves normally when using other providers such as Quad9 (9.9.9.9), Google (8.8.8.8), or residential Comcast DNS.

I have not been able to successfully contact the webmaster of this site, based on the domain registration info of ‘invisibleproject (DOT) org’, they are a Cloudflare customer.

Image of nslookup from Windows 10 (Minneapolis region)

Is Cloudflare able to assist with figuring this out?

This is an issue with the DNSSEC on your domain.

The error "..no SEP matching the DS found for invisibleproject.org." appears on a dig query and according to the official spec it means that your domain is missing a proper DNSKEY record.

According to the Cloudflare DNSSEC documentation (code 9) you’ll need to add a proper DNSKEY entry and make sure the DS record at your registrar is correct.

1 Like

Greetings,

Thank you for asking.

At first sight, it seems to me like an issue with DNSSEC? :thinking:

I hope they got your message. I’d also just suggest, they should open up a ticket at Cloudflare Support to double-check this for them, just in case.

1 Like

Thanks for the reply. I’m curious why this issue occurs only when using Cloudflare’s DNS and not any of the other providers? This domain registrar’s is Cloudflare.

I do remember few topics similar here where domains weren’t resolving on 1.1.1.1 while it was ok on others.

Nevertheless, here it seems as an DNSSEC issue, but, each case is different and what I can do if that’s your case too, is to suggest you to write a ticket to Cloudflare support due to your account and/or domain issue and share the ticket number here with us so we could escalate this issue:

  • Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button. If you get automatic reply, reply and indicate to it you need more help and reference to this topic
  • Or send an an e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account
1 Like

The domain also does not seem to resolve on OpenDNS for reason ‘EDE: 6 (DNSSEC Bogus)’.
Here is a DNSViz: https://dnsviz.net/d/invisibleproject.org/dnssec/
@mvavrusa

All public DNS servers seem to resolve it except Cloudflare and OpenDNS: https://digwebinterface.com/?hostnames=invisibleproject.org%0D%0A&short=on&ns=all
There is something wrong with the domain’s DNSSEC though.

The DS record has a private algorithm(254) that is not supported, while other resolvers choose to downgrade to disable DNSSEC validation, our implementation doesn’t.

❯ kdig @199.19.56.1 invisibleproject.org ds +short
2371 254 2 55DBE72154765CE3A069AEE5E58A780F705F61848E40F22D1FBC731099D5BFF3