SSL certificate error: The provider encountered an error verifying the DNS settings of your domain name. Please verify your DNS settings and try again later.
Error detail: DNS problem: looking up TXT for _acme-challenge.mlon.nl: DNSSEC: DNSKEY Missing: validation failure <_acme-challenge.mlon.nl. TXT IN>: No DNSKEY record from 198.251.86.153 for key mlon.nl. while building chain of trust
Other Information
Hello there!
Both Letsencrypt and Googletrust give me an error message when i try to generate a SSL certificate for my website. I have set the correct servernames and CNAME and DNS Records are checked ok.
What is causing this and what can be done to fix it.
LetsEncrypt error : SSL certificate error: The provider encountered an error verifying the DNS settings of your domain name. Please verify your DNS settings and try again later.
Error detail: DNS problem: looking up TXT for _acme-challenge.mlon.nl: DNSSEC: DNSKEY Missing: validation failure <_acme-challenge.mlon.nl. TXT IN>: No DNSKEY record from 198.251.86.153 for key mlon.nl. while building chain of trust
GoogleTrust error : SSL certificate error: The provider encountered an error verifying the DNS settings of your domain name. Please verify your DNS settings and try again later.
Error detail: Error while resolving DNS TXT records for _acme-challenge.mlon.nl.: SERVFAIL
It doesn’t have the correct keys for our nameservers.
Our nameservers don’t do DNSSEC, so we don’t have keys to give you.
The consequence is that anyone whose network validates DNSSEC will not be able to access your domain name. And all SSL certificate providers check DNSSEC.
I’ve yet to see the first domain registrar that doesn’t let you disable DNSSEC. Every domain provider I know supports this. Many DNS hosting providers do not support DNSSEC, and setting it up correctly can be troublesome, so the majority of domains do not have it.
If you were able to access your website without SSL before, it means that your computer’s DNS settings do not check for DNSSEC. Which is also what limits the usefulness of DNSSEC: most devices don’t check it at all.
Since you say you think you don’t want to disable it, I’m going to hazard a guess and say you don’t even know what DNSSEC is or what it’s for. So let me tell you: you really don’t need it.
If you don’t want to use our hosting because it really doesn’t meet your needs, then that’s all fine. But not using our hosting due to a setting you don’t understand and you cannot find the button in your registrar’s panel to disable it seems like a really silly reason to not use a hosting provider.
I would be lying if I understood DNSSEC 100% but i do know it is an extra security layer that prevents spoofing etc.
The only thing I am able to change at my domain registrar is the option to change nameservers and that’s it. No control panel with other options whatsoever so to call me out is a bit presumptuous and well.. silly!
That said, I will try to contact my domain registrar and see if they can change it and if not I will change registrars so to have more options which was planned anyway.
According to Whois information, your registrar is Realtime Register. And according to their knowledge base, there is a way to disable DNSSEC for your domain, and doing so is apparently required to switch from their premium DNS to their basic DNS.
The fact is that not having any DNSSEC related options makes it effectively impossible to change the nameservers of your domain.
Even if we did support DNSSEC, you would still have to setup our DNSSEC keys at your domain registrar to ensure that our nameservers are authorized on your domain.
Then there is the problem of a domain name with DNSSEC typically only allowing one set of nameservers to be authorized. This can be a problem while switching nameservers, as you want to temporarily allow the old and new nameservers to work at the same time due to DNS caching/propagation. This is generally not possible, so it’s common to temporarily disable DNSSEC while switching nameservers to avoid downtime.
All in all, enabling DNSSEC but not having any configuration options to configure DNSSEC would be a major problem at your domain registrar that severely limits you in what you can do with your domain name.
And you should also know: even if you can’t (or just don’t want to) use our namservers, you can still use our hosting. Instead of changing your nameservers, you can also verify your domain name by adding a CNAME record to your current nameservers:
And after your domain name has been added, you can configure the necessary DNS records at your current nameservers to host the website with us:
