Praxismittiefgang.ch is not resolvable with a resolver that validates DNSSEC

pascalmorgenthaler · March 11, 2024, 3:05pm

Hey guys, I have this following error message:

praxismittiefgang.ch is not resolvable with a resolver that validates DNSSEC

I already contacted my domain registrar GoDaddy and they removed the DNSSEC stuff from the domain 24 hours ago. How long should I wait and will it work? Or GoDaddy’s Support told me I should ask you that you can check on your end why it doesn’t work and if GoDaddy has to do anything else to the Domain?

dig · March 11, 2024, 8:39pm

DNSSEC is still active on the domain according to .ch whois. It appears the name servers are currently set to those of Netlify. You’ll need to configure the default GoDaddy name servers in order to disable DNSSEC. Once it is disabled you can then add the name to Netlify DNS.

As Netlify doesn’t support DNSSEC at any level unfortunately (see feature request opened in 2019 and this topic) the other option is to use external DNS configuration so you can continue to use DNSSEC.

pascalmorgenthaler · March 12, 2024, 8:46am

Hey, thank you so much already!

So, a GoDaddy Support guy did that for me on sunday 12 pm GTM +1. We set the nameservers to GoDaddy Default and he removed DNSSEC and told me I can check the name servers back to the netlify servers in one hour, which I did then. This is now almost 48 hours ago. Do I have to do that again and wait until the DNSSEC is removed before changing the name servers back to netlify or can it still happen now within 72 hours?

dig · March 12, 2024, 9:13am

Yes. Until DNSSEC is disabled you cannot make any changes.

pascalmorgenthaler · March 12, 2024, 9:16am

pefect thank you so much!

And you said in the whois check I can see if it is enabled? Where would I find that?

dig · March 12, 2024, 9:17am

I provided the link for the whois above.

pascalmorgenthaler · March 12, 2024, 9:36am

the guy from godaddy writes me that…

dig · March 12, 2024, 11:05am

Everything appears broken. There are no name servers that I can see. Using DNSViz I can see DNSSEC and there are errors and warnings.

There is also mention of multi Netlify name server configurations:

dns?.p07.nsone.net; and
dns?.p09.nsone.net

One of these is possibly correct, or neither.

If you haven’t, set the name servers for praxismittiefgang.ch back to the GoDaddy default and remove the domain from Netlify DNS (on your team’s Domains page). When you can reliably determine that DNSSEC is disabled start the process of delegating the domain to Netlify again.

Alternatively (as I previously mentioned) leave the domain configured with GoDaddy’s name servers and use external DNS configuration to use the domain on Netlify as this option does not require changing name servers and enables the use of DNSSEC.

Output from DNSViz below or follow the link above to check yourself

pascalmorgenthaler · March 12, 2024, 5:18pm

So now the site is live but has no certificate. How can I fix that?

pascalmorgenthaler · March 12, 2024, 5:18pm

It first shows that it works but then when clicking on provision it gives the above error.

dig · March 12, 2024, 8:14pm

praxismittiefgang.ch works with SSL.

The www subdomain doesn’t work as you haven’t configured the appropriate DNS record

pascalmorgenthaler · March 13, 2024, 12:55pm

But would do I have to do? in GoDaddy I can only change the DNS for praxismittiefgang.ch

hrishikesh · March 13, 2024, 2:18pm

@pascalmorgenthaler, this now appears to be resolved.