DNSSEC
I have migrated all of my DNS records for my domains from Network Solutions to CloudFlare and I have already updated NameServers so CloudFlare is now the authoritative DNS Registrar. I'm trying to enable DNSSEC but it has been 24 hours and it still says it is waiting for the DS records. I can't add DS records to Network Solutions because I've already updated nameservers. Do I need to add the DS record to the CloudFlare DNS or is that done automatically?
7 Replies
You need to add the ds records/dnssec info at your Registrar
?? can you elaborate on that? The Authoritative DNS registrar IS cloudflare
Do I need to add the record manually or is it automatically added?
There's no such thing as an "Authoritive DNS Registrar". There's two concepts here, the nameservers/dns ("Authoritative Nameservers") for your website, and the registrar, who you registered the domain from. DNSSEC is special, you basically need to tell your registrar, "I'm enabling dnssec, push these keys to the TLD/higher authorities, so they know to tell resolvers what to trust"
If you're confused who your registrar is, what is your domain?
So the domain name still remains with Network Solutions but CloudFlare hosts the records and the authoritative nameservers (which is what I was meaning by the authoritative DNS registrar). So because I have already changed the nameservers in Network Solutions to CloudFlare nameservers I can no longer add a DS record to Network Solutions. So my question is since CloudFlare now hosts the records do I need to add the DS record to the domain under CloudFlare.
So my question is since CloudFlare now hosts the records do I need to add the DS record to the domain under CloudFlare.No, that part within Cf is automatic. If Network Solutions is your Registrar, you need to go into their portal, on the domain registrar side, and look for dnssec setup DNSSEC, just like nameservers, is just one of those "Registrar level" coordinated settings, essentially not too much on the internet about network solutions dnssec, looks like one user got it working: https://community.cloudflare.com/t/dnssec-cloudflare-and-network-solutions/375100/4
I'm not sure we are on the same page here. Network Solutions no longer has anything to do with the DNS records those have been moved over and activated in CloudFlare so DNS requests for the domain are now being answered by CloudFlare, I want to enable DNSSEC in CloudFlare for the records. When I go to do that it says it could take 10 minutes to an hour, That was 24 hours ago. So based off what you said above CloudFlare should handle adding the record needed for DNSSEC since it is hosting the DNS records. Right?
DNS is a hierarchy. Sometimes records need to go higher. When you modify your nameservers at your Registrar, what it's actually doing is telling the TLD (for example
com) nameservers "hey start serving these NS records with these values, for this domain". If your domain is example.com for example, the hierarchy looks like this:
. (root) example.com -> talk to the com nameservers
com example.com -> talk to cloudflare name servers
example.com example.com -> you're talking to the cloudflare nameservers which have the authoritative answers
DS records need to be at the higher com (or whatever your TLD) level is too, which is why you have to go through your Registrar/tell them what ds records you want. For DNSSEC to work, both your Registrar/the TLD and your auth nameservers have to serve specific records. The Registrar/TLD tells DNS Resolvers what to trust, and your auth nameservers respond with more dns key information as well as signed records.
Think about it this way: How would DNSSEC be secure in any way if it was purely your nameservers who had to return the keys/info about it? The point of dnssec is to protect against mitm attacks and such, if you just trusted what the auth nameservers said, you'd be no better then not having it at all
might be a bit too much technical info/jargon, sorry if that doesn't make sense, what it simply boils down to is that you need to tell your registrar that you want to enable dnssec and with what keys (which is what the ds record is), so that the rest of the DNS System knows what to trust. Cloudflare does its part automagically, and you just need to do that part with your Registrar.