Yes, that's correct Osiris. I have switched to Cloudflare but before, I have asked for a Let's Encrypt certificate with the Hetzner nameserver, which works perfect. Then the switch to Cloudflare.
Ah, ok.. Maybe the DS RR was removed when switching? 
I dunno. Impossible to check currently. Or perhaps there still was a valid authorization laying around at the Let's Encrypt validation server 
The cert issued on 2024-07-14 would be able to use the validation from the 2024-06-25 cert, as it was within 30 days.
Although I guess that wouldn't count, as CAA RRs need to be checked way more often and that would also lead to DNSSEC errors.. 
So I don't really have an explanation then.
2 Likes
O.K. Thanks although for trying to help me guys, but it seems I have to wait for Monday (a damn long time until then. All pages and our e-mail server no longer work). Cloudflare switch seems also not an option due to linkp.
1 Like
Does it have a negative impact on Google if you temporarily (3 days) deliver your website without https, but only http? Thinking about that.
Just forgotten: if Hetzner is available to delete the DNSSEC record, that means that regarding to your comment below, I should use a different registrar, right. But that means, I have to wait another 60 days?!
Please note that DNSSEC enforcing nameservers will refuse to resolve your domain name entirely, so it's not only a matter of Let's Encrypt certificates, but for your site to be reachable for a large part of the internet at large.
And that in turn means that Hetzner would be a very bad registrar. I almost can't believe it...
I would ask that question to Google as they would know how their internal workings work.
2 Likes
O.K. Thanks. You're right. And what about my questions Hetzner and their DNSSEC issues?
2 Likes
I’ll leave that to more knowledgeable community volunteers.
1 Like
This statement from Osiris was only meant to alert you to the problem with your current setup. DNSSEC itself is not mandatory for any domain name. After the DS record has been removed from the com zone your domain will continue to work fine with any registrar you choose.
3 Likes
O.K. This sound great. For me that means I can stick with Hetzner as a registrar. Thanks a lot for the answer Nummer378!
3 Likes
I don't follow. If Hetzner deletes the DS RR from the .com zone, everything is good, right? Unless you want to have DNSSEC enabled, then you should change DNS provider. Not sure if you need to move DNS registrar and service provider both though, maybe @Nummer378 knows that. But if you're fine with having DNS without DNSSEC, you don't need to move.
Edit: It appears I was too slow..
Why? Where does this 60 days come from?
Personally I think every DNS provider should also provide DNSSEC. But probably most people don't care
O.K. Not 60 days but 31 (sorry copy is only in German from Hetzner):
Die Domain kann derzeit nicht übertragen werden, da sie noch nicht mindestens 31 Tage in Ihrem Besitz ist.
I believe this is referring to ICANN rules that mandate registrars don't allow domain transfers 60 days after taking a domain (https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en). A whois history search indicates that the domain was transferred from OVH to Hetzner between 14-20 July 2024.
I suspect that this is also the cause of the issue: Hetzner itself doesn't support DNSSEC at all, so I would be surprised if Hetzner added the DS record. Rather, I suspect that OVH put the DS record in the .com zone, and neither Hetzner nor OVH removed it during the transfer. Hence, I would suggest to talk to Hetzner ASAP as they will need to fix this on their end.
4 Likes
Ah yes, there can be time limits when it comes to transferring the domain.
But as said, it's also fine to stay with Hetzner if you don't mind not having DNSSEC.
Yes, this is probably the case. Probably it would be OVHs responsibility to remove the DS RR if all the DNSSEC stuff was also managed by them on the domain level.
2 Likes
Unfortunately, all DNS zones at OVH have been automatically deleted after the domain transfer, so that there is no possibility to change the DNS servers to another provider. The “DNSSEC” switch at OVH is still active. I have checked this with an API query at Hetzner. There is no DD RS entry there. This can no longer be checked at OVH because, as I said, all zones have already been deleted. However, the feature is still set for whois queries. Presumably because it was not previously switched off during the domain transfer. Unfortunately, OVH did not point this out beforehand...
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.