When we manually change our DNS to ‘1.1.1.1’ or 1.0.0.1’, we cannot resolve ‘invisibleproject (DOT) org’. We’ve attempted this using multiple ISPs in the Minneapolis area.
The website ‘invisibleproject (DOT) org ‘ resolves normally when using other providers such as Quad9 (9.9.9.9), Google (8.8.8.8), or residential Comcast DNS.
I have not been able to successfully contact the webmaster of this site, based on the domain registration info of ‘invisibleproject (DOT) org’, they are a Cloudflare customer.
Image of nslookup from Windows 10 (Minneapolis region)
Is Cloudflare able to assist with figuring this out?
The error "..no SEP matching the DS found for invisibleproject.org." appears on a dig query and according to the official spec it means that your domain is missing a proper DNSKEY record.
According to the Cloudflare DNSSEC documentation (code 9) you’ll need to add a proper DNSKEY entry and make sure the DS record at your registrar is correct.
Thanks for the reply. I’m curious why this issue occurs only when using Cloudflare’s DNS and not any of the other providers? This domain registrar’s is Cloudflare.
I do remember few topics similar here where domains weren’t resolving on 1.1.1.1 while it was ok on others.
Nevertheless, here it seems as an DNSSEC issue, but, each case is different and what I can do if that’s your case too, is to suggest you to write a ticket to Cloudflare support due to your account and/or domain issue and share the ticket number here with us so we could escalate this issue:
Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button. If you get automatic reply, reply and indicate to it you need more help and reference to this topic
Or send an an e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account
The DS record has a private algorithm(254) that is not supported, while other resolvers choose to downgrade to disable DNSSEC validation, our implementation doesn’t.
