DNS not resolving only for a handful of people - after 10 days and even via Google DNS

dns cloudflare

Solution 1:

Checked the DNSSEC settings between Google and Cloudflare are consistent

They are not. The delegation you submitted through Google specified an RSA key (algorithm 5), but the actual zone at Cloudflare is using an ECDSA P-256 key (algorithm 13).

You can see the DNSSEC validation status at DNSViz: original scan, latest scan.

Algorithm mismatch makes signatures impossible to verify, so people using validating resolvers will get a SERVFAIL error while non-validating resolvers have no issues with the domain. The Google public resolver (8.8.8.8) is a validating one.

To fix this, change the DNSSEC settings at Google to specify ECDSA P-256 (13) as the algorithm. You may need to wait up to 24 hours for the old DS records to expire from caches. (DNSViz will bypass caching and will see the changes sooner, but you have to click "Update now" to refresh the diagram.)

1(The shown key size of 512 bits is normal for an EC P-256 key.)

Related

How can I check the version of packages to be installed with apt-get?
Rotate a video file 90 degrees using Ubuntu
What's all those users in the /etc/passwd file?
Open webcam settings dialog in Windows
How do I disable Javascript in Chrome?
Why has my Mac been running fsck_hfs for two days now?
How To Check My Current Version of FFMPEG
Why are start-up times faster on Windows 8? [closed]
best practice for access permission to users for apache tomcat
How can I list the available video modes for a USB webcam in Linux?
download file via http only if changed since last update
Changing the From address in Thunderbird