Fatal error: DNSKEY 2371 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.
Fatal error: Parent zone has a signed DS RR (Algorithm 13, KeyTag 60191, DigestType 2, Digest MH3BkRknNfXfdv42T29sHxixCMQ4NTFadORQ1k5BBqE=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.
so now it have a DNSKEY that doesn't match with DNS RR. what.
and origin connection time out (522) from cloudflare.
Cloudflare uses one set of keys for almost all domains. (It's safe, but makes onboarding or offboarding more difficult.) Assuming my connection to the DNS servers is not being MITMed, the DNSKEY record set for 12bfree.com is using those keys:
Cloudflare's typical KSK -- with key tag 2371 -- does not match your DS record, which uses some key with key tag 60191. Are you sure you copied the right information from the right place?
The Cloudflare API displays the DS record data as follows: 12bfree.com. 3600 IN DS 2371 13 2 74CC8C90823F931CAFA9B150AD34C241523F152054D19431390F1B342D877D37
and meanwhile also delivers "Success! 12bfree.com is protected with DNSSEC."
But when I go check with JĂźrgen Auers proposed website
I get the error "destination DNSKEY doesn't exist or doesn't validate".
"whois 12bfree.com | grep 'DNSSEC'" does retrieve the DS data I gave to my registrar.
(Sorry about using the example data above. Did not mean to confuse anybody, guess I was unintentionally overly cautious)
Hm. I canât think of where to look for the error. Could you be more specific, please? - When the DS entry I see at my Cloudflare account matches the result I get doing a whois with a grep on âDNSKEYâ, I donât really know where to start tackling the problemâŚ
There is, however, a persisting problem when I renew the certificate. When the process arrives at the subdomain entry it returns âGetting webroot for domain=â*.12bfree.comââ --> "invalid domain"
BTW: I can dig lime.12bfree.com alright, which returns an IP from the Cloudflare realm. Any idea on that?
Sounds like the installer canât find a matching ServerName/Server_Name for â*.12bfree.comâ
And I also see CloudFlare in use - not sure if that presents an obstacle in your quest.
Just rechecked the domain using your site checker. -
Everythingâs fine, except for point 12 "TXT Entries, where it says âperhaps wrongâ for â_acme-challenge.12bfree.com.12bfree.comâ and â_acme-challenge.www.12bfre e.com.12bfree.comâ
Could you comment on this, plz?
I agree itâs a âcurious name server answerâ because â12bfree.comâ exists as an âAâ record in DNS. âwwwâ and various subdomains are CNAME entries. Nothing wrong with that, right?
If Iâm not mistaken a TXT record is for additional ownership validation. Do I really need that for a certificate update? The way I understand it DNS sec identifies ownership realiably. Why then a TXT record?
Again: Do you recommend adding a TXT entry then?
You are understanding something completely wrong. A txt record is a txt record, nothing else. It may used as an ownership validation, it may used as a joke or a simple test: "This is a small txt text entry".
So your question
???
Looks like you mix things that are completely different.
If you want to create a certificate, you may use dns validation. So read
But then a txt entry with the domain name 12bfree.com isn't relevant, because _acme-challenge as first part is required.