Why do I have to remove my DS record when signing up for Cloudflare?

DS records are part of DNSSEC. They reside at the parent side of the delegation, provided by parent servers as part of a referral to establish trust to the child part of the delegation.

The delegation signer (DS) resource record (RR) indicate that the delegated zone is digitally signed and the parent has been informed that the indicated key as a valid zone key for the delegated zone.

Here is an example of how the chain from root to example.com flows through a chain of DNSKEY and DS records:

DNSKEY => com. DS (in root zone) ==> .com DNSKEY (in com zone) ==> DS example.com (in .com zone) ==> DNSKEY (in example.com zone)  

Why do I have to remove my DS record when signing up for Cloudflare?

Cloudflare now supports DNSSEC, so if a DS record is present at your registrar while using Cloudflare you will run in to connectivity errors such as SERVFAIL when using a validating resolver like Google and noErrror from non-validating ones.

Here is an example of what an error would look like:

╰─➤ dig dnssec-failed.org @
; <<>> DiG 9.8.3-P1 <<>> dnssec-failed.org @
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5531
;dnssec-failed.org. IN A

Now that we have added support for DNSSEC, we will provide you with the DS record that must be uploaded to your parent should you choose to enable DNSSEC for your zone.

What happens when I remove the DS record?

When you remove your DS record the process of phasing out DNSSEC validation will start. If you are an existing customer this will not affect your ability to use Cloudflare. New customers will need to complete this step before you can successfully start using Cloudflare.

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk