DNSSec entries still affected on my domain even though i've disable


Hello As the title says, so i've disable dnssec on my domain few month back but when i check on dnssec analyzer my domain dnssec still enabled. so i can't issue let's encrypt ssl cert

I've make sure both on my route53 and on my domain registrar disabled DNSSEC Analyzer result

DNSSec configuration on Route53

DNSSec configuration on my domain registrar

Let's encrypt error due dnssec

asked a year ago316 views
4 Answers
Accepted Answer

Thank you for the information Gary, i did contact my registrar which is PANDI and they escalate the "stuck" ds record from their side.

answered a year ago
  • Thanks for the update and glad I could help. I would appreciate it if you accepted my answer as this helps me and others. Gary


I already delete the DS record on my domain registrar long time ago, but i'll contact them to check on their side. will be update soon after i got answer from them

answered a year ago

So I already contact my domain registrar and confirms that dnssec is already unsigned (disabled) Their response

answered a year ago
  • Hi Samdgea, I updated my answer with more information..Basicly the registrar needs to escalate this issue


Looks to me like there’s still a DS record at the registrar. In the screen shot NS-746 name server has an issue.

# DS Records 

| Domain Name | TTL | Key Tag | Algorithm | Digest Type | Digest | 
| Abdilah.id | 3600 | 54640 | 13 | 2 | 063B08C8F23150A315679A2EF6A220F5F56DA29DE738
AD51A32C5A071E1AE53B | 

I’ve read a few pages and it says to remove DS at the registrar and wait a day or 2 before removing dnssec from the zone.

Believe you need to check with your registrar to have this resolved

Update The registrar may say its disabled, however the Name servers for .ID still have DS records for your domain. Your registar needs to escalte this to Indonesian Internet Domain Name Administrator who manages the domain to clear down the stuck DS records. You could try to enable and disable DNSSEC again, it may help flush it through. OR Remove/put in fake the NS records for the domain, try DS lookup again and then put the real NS records back.

It looks like the registrar process to add and remove DS records failed


gary@thinkpad:~$ dig abdilah.id

; <<>> DiG 9.16.1-Ubuntu <<>> abdilah.id
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13114
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 53 20 66 6f 75 6e 64 20 66 6f 72 20 61 62 64 69 6c 61 68 2e 69 64 2e ("..no SEP matching the DS found for abdilah.id.")
;abdilah.id.                    IN      A

;; Query time: 369 msec
;; WHEN: Thu Jun 29 08:40:30 BST 2023
;; MSG SIZE  rcvd: 89

gary@thinkpad:~$ dig abdilah.id DS

; <<>> DiG 9.16.1-Ubuntu <<>> abdilah.id DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57801
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;abdilah.id.                    IN      DS

abdilah.id.             3600    IN      DS      54640 13 2 063B08C8F23150A315679A2EF6A220F5F56DA29DE738AD51A32C5A07 1E1AE53B

;; Query time: 389 msec
;; WHEN: Thu Jun 29 08:40:57 BST 2023
;; MSG SIZE  rcvd: 97
profile picture
answered a year ago
profile picture
reviewed a year ago
  • I see the DS key has changed for your domain but DNS SEC Is still enabled for your domain

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions