Bought a domain, SERVFAIL "EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for example.com.)"
I just bought a domain but querying against
1.1.1.1 seems to not work:
Querying for DS records reveals this, but I haven't added it:
Any idea what is causing this, and how I can resolve it?11 Replies
Two days ago
It seems it may have some old DNSSEC settings or similar from a previous owner?
Did you purchase the domain directly on Cloudflare Registrar?
Or did you purchase it at another registrar (if so: which one?) and then move the name servers to Cloudflare?
The second option, it’s a small registrar for an obscure tld
Still, it’s a valid TLD where i configured Cloudflare nameservers, and I have successfully added it to my Cloudflare account
The stuff you quote above, e.g.
is indeed a DNSSEC record that you want to:
1. Get rectified (Preferred)
2. Get removed (You're then NOT protected by DNSSEC)
Any specific ccTLD you have that kind of experience with? I generally see many ccTLD update often way faster than the generic ones. 🤔
But it would depend quite much on the delegation TTL from parent to child as well, and e.g. for the DNSSEC record above, the 86400 seconds which would mean at least 24 hours.
(That said, I'm also curious about which exact TLD it is, whether it is .com as in the example, or a complete different one)
It’s a cctld, .ax
The registrar says they can’t change anything except nameservers and that the issue must be with cloudflare
Some ccTLD do not operate in the exact same kind of registrar way, as we see with .com/.net, -
But it was a completely new domain purchase, and not just a transfer from one registrar to another?
It’s a new purchase, the domain seems to have expired in december 2023
Can I figure out somehow if the issue is with the registrar or my cloudflare configuration? I have another .ax domain (from another registrar) on cloudflare and that has never had any issues
This is What DNSViz shows
Description: Delegation from ax. to example.ax.
Status: BOGUS
Errors:
No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. Can I remove dnssec and then re-configure? How?
No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. Can I remove dnssec and then re-configure? How?
The existing
DS record is a problem with the domain registry, however, it is the domain registrar that takes care of the coordination of this DS record to the registry on behalf of the domain owner.
If you have any issues with it, it should be your registrar that would need to fix it, - unless of course they provide a way in their self service / control panels for you to do so on your own.
If they (your domain registrar) are unable to (which would sound very unlikely, and more likely that you've just got in touch with the wrong person), then it will be your domain registrar's duty, to escalate the issue up to the domain registry.
All that being said, -
This one would normally sound strange.
Digging a bit in to the ax TLD though, it seems like there is another example, where a domain that according to https://whois.ax seems to be available for registration, already (or still) hold one or more DS record(s) in the parent registry, just like the example you seem to show.thanks @DarkDeviL