Propagation of dns servers did not work correctly
Hello,
I bought a .eu domain name on 21 December and changed my DNS servers to those of cloudflare. But I have a problem, my DNS servers are not propagating correctly and this has been going on for more than 4 days. How can I ensure that this propagation is carried out correctly? I've attached screenshots of my current propagation.
I've also bought the same domain name but in .fr and it's working perfectly.
What I've done: Contacted OVH to check that the problem wasn't with the domain, but after checking the DNS servers are correctly defined in the whois and the information is being transmitted correctly.
17 Replies
What's the domain name?
That looks like it could be a DNSSEC issue
DNSSEC is disabled
Domain name : hytools.eu
I deleted my domain from cloudflare and put it back, which made me change the dns servers again, which explains the different DNS servers than the one in the screenshots.
DNSSEC is enabled/configured at your Registrar, OVH, for an old DNS Host, looks like
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for hytools.eu.)
https://dnsviz.net/d/hytools.eu/dnssec/
You’ll want to either outright disable DNSSEC, or update your DNSSEC configuration with the information Cloudflare gives you:
https://developers.cloudflare.com/dns/additional-options/dnssec/
These changes to your DNSSEC Configuration can be done at your Registrar, OVH
DNSSEC · Cloudflare DNS docs
DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring requests are not routed to a spoofed domain.
Then you should reach out to your registrar support
it is still very much active, you can see it in the whois as well
I already contacted them this morning and they told me to get in touch with cloudflare because everything was fine with them.
The reason why some DNS Resolvers were "working" was because not all DNS Resolvers validate DNSSEC. Namely ISP operated Resolvers don't. But all of the popular public ones (OpenDns, Google, Cloudflare, Quad9) do
So DNSSEC has to be disabled?
Well you could try contacting them with the information that the panel shows dnssec is disabled but it isn't.
Sometimes Registrars offer their own DNS Servers and enable DNSSEC for them automatically which can muddle things
Could provide them with dnsviz link or output of whois
% WHOIS hytools.eu Domain: hytools.eu Script: LATIN Registrant: NOT DISCLOSED! Visit www.eurid.eu for webbased WHOIS. Technical: Organisation: OVH Language: fr Email: oles@ovh.net Registrar: Name: OVH SAS Website: https://www.ovh.com Name servers: gigi.ns.cloudflare.com aragorn.ns.cloudflare.com Keys: flags:KSK protocol:3 algorithm:RSA_SHA256 pubKey:AwEAAfAy/0y5KN9enMmP6aEi+cMzQQbTNAqOa5J/gpBEe3h+Ep60RMXAMUoca5Fa3g9ed5617K+UsaGXkyhMCrVu8KkznEGgo8gtSMo0A/s7r5ghDEazjOZGC4uSXELgMj7u2GVN5gURbpJFXrR/rvRoiE/uIMvHaeshJb/pESLZvTcSAWzrUBbeYTNv4SQJlIGCmmHjFnNbk0Aq9qfcvHLPx/4VnPHUKseERfx7uiFjuZ6FwJr3oHWcwXjrZxAUjhfP98L6YYHnLJsBGdMWHz3oC/wLTe2inbMOdAn+PHqu2sghOqxCn22idFpOaQsPvbYNk9EFKUllH2OIXdMr4hBbpf8=
OVHcloud
OVHcloud
Disabled or updated with the values Cloudflare gives you in their panel
it's an optional security feature
Could try enabling it & disabling it as well and seeing if that doesn't give it a kick to update, or just update it with Cloudflare's values for the extra security benefit
Under DNS -> Settings in Cloudflare is where you would find the values you configure at your Registrar. If you've already enabled DNSSEC you can click the "DS Record" drop down to get the information again
I don't have access to DS Record
An error occurred while loading DS records (Configuration with type "domain_ds_configuration" and domain "hytools.eu" was not found)
DS records management is not supported for this domain.
is that normal?
I have never used OVH's registrar before, so I have no idea. Generally you should be able to modify your DNSSEC settings for your domain though
It's possible you're modifying it under the wrong area, usually there's a "DNS" and a "Registrar" seperation if a registrar also offers DNS
I'll check with OVH and get back to you if I need anything.
Thank you very much for your advice 🙂
Sure no problem, DNSSEC can be annoying especially with the lack of feedback except from specific tools. You can click "Update Now" on https://dnsviz.net/d/hytools.eu/dnssec/ to see if it's been fixed once you get that sorted out, will probably take a bit for DNS Propogation/updates though. All of the bogus/red should go away
but why is DNSSEC blocking it?
DNSSEC is like saying "only trust responses from me if its signed with this cryptographic key"
Works to prevent MITM attacks
except in your case it's been misconfigured. The values at your Registrar != the values Cloudflare is signing them with. (because you never purposefully set it up). So DNS Resolvers that do validate DNSSEC (which isn't all) just think all of the answers from Cloudflare are bogus/being mitm'd
OK, I'll check with OVH and then come back here if necessary.