Enabling DNSSEC failed: Failed to add DS record at registrar - invalid digest value
"Invalid digest value from the name server for DNSSEC record 1" is the error message my registrar passed on to me. I'm not sure what to do now. I've cross-checked the DS record configuration details sent to them with the ones specified on Cloudflare dashboard under the domain name, and confirmed that all is accurate.
What I've done:
1. register the domain name at my registrar
2. have the appointed Cloudflare NS records added at the registrar, and in turn turning the domain name's status active on Cloudflare
3. toggle DNSSEC to enable it
4. sent the DS record configurations to be added at my registrar
Could it be that Cloudflare DNSSEC for my ccTLD (.com.bn) isn't supported? TIA for anyone who may have any insight on what could have gone wrong
4 Replies
What's the registrar/can you show the full configuration you're trying to apply at your registrar? Some Registrars make it annoying/confusing and mess with options
The registrar is BNNIC. We have no direct access to adding the records so any configurations are done through manual communication. I'll ask them about the full configuration in the attempt. Thanks!
Hey Chaika.. So I've got a response back from them.
In short: they won't add the DS record because I'm using an external nameserver i.e. not opting for their DNS subscription.
Details of what's going on just for clarity: In response to them notifying me of the error pop up on their side, I asked them for more details on what they did on their end which lead to the error message popping up, and whatever information they could give that might help with diagnosing the problem.
Specifically, I asked for the full configurations they attempted to apply at the registrar, and asked if they supported both algorithm 13 and type 2 digest, just to be sure. They disregarded those questions, and instead responded with
"...
Since the name server is pointing to the hosting provider and not UNN DNS, please advise to request DNS modification to the hosting provider
Hope the response answers your enquiry
..."
They did spend some time trying to add the DS record though, it seemed to me that the response given was partly only due to them not being able to do it :NotLikeThis:
UNN is the local telecom company handling the configurations
I've done a bit of snooping on other domain names under the country code tld including government, institutional websites, and couldn't find any that has DS records added. The bummer is that I don't think domain names under the cc tld can be registered in any other registrar than ones associated with them 🥲
hmm yea sounds like they're more confused on configuring it then anything else, basically have to convince them it's possible and all action needed is on their end. The TLD is
bn right? The root ccTLD itself is signed
yea dnssec has iffy adoption, not a perfect/too helpful security measure and lots of issues it can cause.
The bummer is that I don't think domain names under the cc tld can be registered in any other registrar than ones associated with them 🥲Well that's how that relationship works. BNNIC isn't the Registrar, they're the registry, in charge of all operations for the extension. Since it's a ccTLD (Country code top-level domain), ICANN (who oversees all extensions) gives them a lot of power/doesn't really interfere much with their operations or force stuff on them. There are two Registrars according to wikipedia for
bn, Imagine and Datastream Digital. BNNIC controls who can directly sell their domain/who can be a registrar for it. They're still the ones doing all the DNS Operations at the end of the day though, and approved registrars just push changes to them to applyAhh yes, the persons in Datastream Digital are the ones I'm dealing directly with are my registrar. Configuration requests are forwarded to either BNNIC and/or UNN. I'm not familiar enough with DNS to be sure who of the two handles which part of the whole thing
Oh well. Thanks though, I appreciate that you took the time to enlighten me with these information/confirmations. I'm more okay now knowing that nothing more can be done about the issue (from my side), and about DNSSEC not being too helpful anyway (due to what's going in my case, I've spent some time too reading a bit about it in the past several days 😂)
Yes, root TLD is bn
.com.bn, .edu.bn, .gov.bn, and so on are signed as well, though not the individual domain names (e.g., **.gov.bn) that companies/institutions register for