Started with desec yesterday, my domain is still not queryable

Hey all,

i have my .de domain at netcup.
i changed to own nameserver to the ns1 and ns2 from desec with the ipv4 + ipv6 addresses.
i also applied the dnssec information.

erverything looked good and yes, the infotext said it may took 48h to complete the change worldwide, but in my experience mostly after a few minutes all is done.

when i now dig my domain @ google i get a SERVFAIL and with cloudflare @ it says No reachable authority, at delegation and rcode=REFUSED

am i only impatiend? and the process is still not finished?
or can someone hint me what went wrong or in what direction i have to look for a solution ?

Thanks in advance.

Hi Jorval,

welcome to deSEC! Without your domain name, it is difficult to say what’s wrong. One thing you could try is to use “+cd” with dig. This disables the DNSSEC check. If it is working with “+cd”, something could be wrong with the DS records. If not, something could be wrong with the NS records.

Another thing you could try is to use DNSSEC Analyzer or DNSViz to see what’s wrong.

Lastly, if you do not want to post your domain name here in public, you can contact and ask there for help.


Hey Nils, thanks for the fast reply.
sorry for my late answer, my family and me catched a flu over the weekend.

the domain is

DNSSEC Analyzer was helpful:

Reading through the forum it seems DS entries are not something in the de zone at all ?
in the netcup form there was only a DNSSEC field. that i have filled correctly and the shown data matches the key in my desec account.

so i have to admit that DNSSEC is new terrain for me. any help or hint what i have doen wrong is highly appreciated.
otherwise i have to rollback to the nameservice from netcup. but i hoped i could make use of desec api to issue internal hosts via LE dns challenge.

thanks in advance and sorry again for the late reply.

Hi Jorval,

Indeed, the nameserver in the delegation of are NetCup nameservers. That means that the domain is currently delegated to NetCup, not to deSEC. No DNS queries arrive at deSEC.

Before you can secure your domain our DNSSEC features, you first have to changed the nameservers to and

Stay secure,

1 Like

Hey Peter,

thanks for the fast reply.
ok, means i was a bit to fast last week? adding the nameservers AND the DNSSEC entry?
btw i found that i mismatched the algo with the protocol in the DNSSEC. There is no protocol field in the netcup form.

i deleted the DNSSEC entry now and also saved the DNS Server delegation again so hopefully they are now delegated.

Thanks again.

I don’t know what you did, but the way it looked is that you did not set the deSEC nameservers for your domain at all.

In principle, that can be done at the same time as setting the DS records. My point was that you can’t configure DNSSEC before setting the nameservers. It’s better to not set NS and DS at the same time, because old NS records may be cached in DNS resolvers. DS records should only be added once caches have expired after changing NS records.

Stay secure,

i set the nameservers and with ipv4 and ipv6 addresses.
maybe i havent clicked save but iam sure there was the same green text hintbox that tells me it could take 48h before the world knows about the servers.

but, i dont mind if i did something wrong :wink: now it seems that the nameservers are delegated, i get a SOA from desec and the nameresolution is working again.

what puzzles me now is DNSSEC analyzer shows everything green (without the DS records, netcup has no form entries.) but i havent entered and activated the DNSSEC again!
Why is DNSSEC Analyzer showing green ?

again treat me as a noob in case of DNSSEC!

It’s not entirely green:


The line with the red cross means that you have not set up the DS records, so there is no chain of trust configured for your domain.

(Other green checkmarks mean that all aspects are ok. For example, we generated RRSIG signatures on your DNS records, and those are recognized here. But if DS is missing, clients can’t validate the signatures.)

Stay secure,

so now everything is green.
I’ve read that the DS entries are calculated from the DNSSEC key i provided netcup.
for me it’s fine and Thank you once again for your support.

i think my mistake was
a) eventually not saving the nameservers.
b) i was to fast for netcup with the DNSSEC
c) i found that i mismtched protocol and algo in the netcup form.

Thanks again.